TargetCompany (Mallox, FARGO) – Threat Actor

Overview

Common targets

Worldwide victims, across multiple industries, including manufacturing, professional and legal services, and wholesale and retail.

Attack Vectors

The group targets unsecured MS-SQL servers to infiltrate a network.

How they operate

Initial Access

Since its emergence in 2021, the Mallox group has maintained the same approach to gaining initial access: targeting unsecured MS-SQL servers to infiltrate networks. These attacks begin with a dictionary brute force attack, trying a list of known or commonly used passwords against the MS-SQL servers. Once they successfully log into the SA account, they install the Remcos RAT.

Four hours after the initial infection, the threat actors use Remcos RAT to install additional malware that adds remote control functionality.

After gaining access, the attackers use command line and PowerShell to download the Mallox ransomware payload from a remote server. The command line performs the following actions:

Downloads the ransomware payload from: hxxp://80.66.75[.]36/aRX.exe and saves it as tzt.exe
Runs a PowerShell script named updt.ps1

The payload then performs the following actions:

Downloads another file named system.bat and saves it as tzt.bat

The tzt.bat file creates a user named SystemHelp and enables the remote desktop (RDP) protocol

Executes the ransomware payload tzt.exe using Windows Management Instrumentation (WMI)

Ransomware Execution

Before encryption begins, the ransomware payload attempts several actions to ensure successful execution:

Attempts to stop and remove SQL-related services using sc.exe and net.exe, allowing the ransomware to access and encrypt the victim’s file data.

Attempts to delete volume shadows, making it harder to restore files once they are encrypted.

Attempts to clear the application, security, setup, and system event logs using Microsoft’s wevtutil command line utility to thwart detection and forensic analysis efforts.

Modifies file permissions using the Windows built-in takeown.exe command, denying access to cmd.exe and other key system processes.

Prevents the system administrator from manually loading the System Image Recovery feature using bcdedit.exe.

Attempts to terminate security-related processes and services using taskkill.exe to evade security solutions.

Attempts to bypass the Raccine anti-ransomware product, if present, by deleting its registry key.

Mallox leaves a ransom note in every directory on the victim’s drive. This ransom note explains the infection and provides contact information.

Mitigation

Mitigation Methods :

• Patch and Update Systems Regularly
  
• Implement Strong Access Controls and Multi-Factor Authentication (MFA)
  
• Backup Data Regularly and Store Backups Securely Offline
  
• Deploy Endpoint Protection with Antivirus and Anti-Malware
  
• Segment Networks and Restrict Access Based on User Roles
  
• Use Email and Web Filtering to Block Malicious Content
  
• Conduct Cybersecurity Training for Employees
  
• Develop and Test an Incident Response Plan
  
• Implement Logging and Monitoring Solutions
  
• Encrypt Sensitive Data at Rest and in Transit
  
• Apply Security Patches Promptly for Known Vulnerabilities
  
• Use Behavioral Analysis to Detect Ransomware Activity
  
• Subscribe to Threat Intelligence Services
  
• Limit User Permissions and Administrative Privileges
  
• Consider Cyber Insurance Coverage

References:

• Threat Group Assessment: Mallox Ransomware
• Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
• Decrypted: TargetCompany Ransomware
• OODA: X-Ops Takes On Burgeoning SQL Server Attacks
• FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers
• Mallox Ransomware
• Mallox Ransomware showing signs of Increased Activity
• A Victim of Mallox Ransomware: How Truesec CSIRT Fought Back
• Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns
• TargetCompany’s Linux Variant Targets ESXi Environments
• Interview with Mallox ransomware group