Mallox Ransomware deployed exploiting SQL Honeypots

Mallox Ransomware deployed exploiting SQL Honeypots


Researchers have identified that Mallox ransomware has been deployed using MS-SQL honeypot with sophisticated tactics employed by cyber-attackers.

The honeypot was targeted by an intrusion set utilizing brute-force techniques to deploy the Mallox ransomware via PureCrypter, exploiting various MS-SQL vulnerabilities.

Upon analyzing, the researchers identified two distinct affiliates using different approaches. One focused on exploiting vulnerable assets, while the other aimed at broader compromises of information systems on a larger scale.

Advertisements

Initial access to the MS-SQL server occurred through a brute-force attack targeting the “sa” account that got compromised within a shorter time frame. The attacker persisted in brute-forcing throughout the observation period, indicating a determined effort.

The attacker leveraged various techniques, including enabling specific parameters, creating assemblies, and executing commands via xp_cmdshell and Ole Automation Procedures.

The payloads corresponded to PureCrypter, which subsequently executed the Mallox ransomware. PureCrypter, sold as a Malware-as-a-Service by a threat actor operating under the alias PureCoder, employs various evasion techniques to avoid detection and analysis.

Advertisements

The Mallox group, a Ransomware-as-a-Service operation distributing the namesake ransomware, has been active since at least June 2021. The group utilizes a double extortion strategy, threatening to publish stolen data in addition to encrypting it.

The research also highlights the role of affiliates in the Mallox operation, particularly focusing on users such as Maestro, Vampire, and Hiervos, who exhibit different tactics and ransom demands.

This research was documented by researchers from Sekoia

Indicators of Compromise

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.