Hackers Exploiting MS-SQL Severs To Deploy Mallox Ransomware

Information such as financial records, customer information, and intellectual property that may be sold on the black web markets is what MS-SQL servers commonly store. 

In addition, a hacked MS-SQL server can present an entry point into the organization’s network, from where ransomware can be deployed or other malicious activities can be carried out. 

Due to weak passwords, unpatched vulnerabilities, and misconfigurations in MS-SQL installations, threat actors using automated scanning and exploitation tools find them appealing.

Recently, cybersecurity researchers at Sekoi discovered that hackers have been actively exploiting the MS-SQL servers to deploy Malloz ransomware.

Technical Analysis

An MS-SQL honeypot deployed on April 15th was swiftly compromised via brute-force attacking the weak “sa” account from XHost Internet Solution IPs, around 320 attempts per minute.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Post-intrusion, the attackers leveraged MS-SQL exploits to deploy Mallox ransomware using PureCrypter. 

Investigating Mallox samples revealed two affiliate groups – one exploiting vulnerabilities, the other conducting broader system compromises.

On April 15th at 2:17 pm, exploitation attempts began on the tampered MS-SQL honeypot from AS208091 IPs only hours after the initial “sa” account breach.

When analyzing the logged attacker actions, two different recurring exploitation schemes were revealed. These schemes were likely executed using scripts or tools.

By examining IoCs and TTPs, it was found that 19 out of many attempts identified a pair of separate patterns corresponding to one and the same intrusion set.

The MS-SQL exploitation attempts deployed payloads corresponding to PureCrypter, which downloaded files with random multimedia extensions containing encrypted .NET libraries. 

These libraries were Reflectively loaded, decrypting, and executing the next stage of PureCrypter payload that finally loaded the Mallox ransomware from its resources. 

PureCrypter employs evasion techniques like environment detection, privilege adjustments, and deflating or decrypting embedded resources. 

When PureCrypter failed, the attacker attempted direct Mallox deployment. PureCrypter uses protobuf definitions to store the encrypted Mallox executable under a randomized name like “Ydxhjxwf.exe”.

Mallox is a notorious ransomware-as-a-service (RaaS) operation that distributes multiple variants of the Mallox ransomware, also known as Fargo, TargetCompany, etc. 

It accelerated attacks in late 2022 using double extortion, becoming one of the most distributed ransomware families in early 2023. Mallox operators exploit vulnerabilities in MS-SQL servers, brute-force weak credentials, and leverage phishing for initial access. 

Operated likely by former tier ransomware group members, Mallox transitioned to a RaaS model in mid-2022 with personas like “Mallx” and “RansomR” recruiting Russian-speaking affiliates on forums like RAMP. 

By mid-2022, the Mallox ransomware learned to use the double extortion technique of data exfiltration and publicizing stolen data. It then shifted to specialized negotiation sites on TOR and used a triple extortion strategy, reads the report.

In 2022-2023, Mallox soiled its hands by heavily impacting Asian victims in various fields such as manufacturing and retail, despite claiming to avoid attacking Eastern Europe.

The website for releasing dumped information contained over 35 victims’ names. An analysis showed that MS-SQL gaps were exploited by “maestro” among the employees of Mallox during the initial compromise.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free