Thousands of Microsoft SQL Servers (MSSQL) have been found to be infected by a new malware gang, named this new malware gang which is hacking into the servers and installing a crypto-miner, MrbMiner.
The cybercriminal group is so named after one of the domains used by it to host their malware.
The hackers blasted in through the weak password of the SQL Servers and then released the crypto-miner on target systems,
“MrbMiner mining Trojan will carefully hide itself to avoid being discovered by the administrator,” the company said in a blog post earlier this month.
“The Trojan will monitor the task manager process. When the user starts the ‘task manager’ process to view the system, the mining process will immediately exit and delete related files,” .
Researchers discovered the Linux system and ARM system-based mining Trojan files on the FTP File Transfer Protocol) server of the MrbMiner mining Trojan, speculating that MrbMiner has cross-platform attack capabilities.
After a six-month hiatus, the Zeppelin ransomware variant returned in late August, according to Juniper Threats Labs. The malware now uses an updated Trojan downloader to better hide its activities from security tools.
Zeppelin was first spotted in late 2019, when it primarily targeted IT and healthcare firms, according to the report. It’s distributed using the ransomware-as-a-service model.
The ransomware appears to be a variant of another type of crypto-locking malware called Buran, according to Juniper. Buran is a variation of another type of ransomware strain called VegaLocker, according to previous research published by McAfee
In the latest campaign that started in August, the Juniper researchers found that the operators of Zeppelin use the same type of phishing lures as in previous attacks, although they use a new downloader that helps obscure a Trojan for implanting the ransomware code.
Hiding & Attack
A Zeppelin ransomware attack starts when a targeted victim receives a phishing email disguised as an invoice, according to the Juniper report.
The phishing emails are sent with an attached Microsoft Word document, portrayed as an invoice, that hides malicious VBA macros. Once the attachment is opened, the macros are enabled and the initial attack starts, according to the report.
The attached Word document helps obscure what appears to be junk code but actually contains Visual Basic scripts hidden in the text, the report notes. This code is part of an obfuscation technique that helps hide a Trojan that starts the ransomware infection.
Once the malicious macros are enabled, the text is extracted and written to a file at c:wordpressabout1.vbs, according to the report. When the document is closed, a second round of macros runs, which further helps hide the attack.
The second macro string eventually downloads a Trojan that then installs the Zeppelin ransomware within a compromised device. Before it starts working, the malware “sleeps for 26 seconds in an attempt to out-wait dynamic analysis in an automated sandbox and then runs the ransomware executable,” according to the report.
The Juniper report does not shed light on the threat actors behind Zeppelin, but the report and other analyses find that if the ransomware comes across an infected device that has an IP address linked to Russia, Belarus, Kazakhstan or Ukraine, the attack is stopped.
The report notes that it “is difficult to assess how many targeted computers resolved the [command-and-control] domain, but there were only 64 confirmed DNS queries to its authoritative name server, which suggests the attacks might be targeted and not widespread.”
ProLock ransomware were able to deploy a large number of attacks over the past six months, using the standard operating tactic.vaveraging close to one target every day.
Initially started in late 2019, under the name PwndLocker, due to a crypto bug that allowed unlocking the files for free, the operators rebooted the operation with fixing the flaw and renaming the malware to ProLock.
A fresh start in March under the ProLock label also meant increased activity and larger ransoms. Since then, the average figure swelled to $1.8 million.
The threat actor has no preference for its targets or the sector of their activity as long as they are companies with big networks, able to pay a higher ransom. The focus seems to be on businesses in Europe and North America.
The group’s tactics, techniques, and procedures are simple and effective, the partnership with QakBot (QBot) banking trojan allowing them to map the network, move laterally, ultimately deploy the ransomware.
Between the initial compromise and running the file-encryption routine, the actor spends about a month on the network, gathering information for better targeting and exfiltrating data (via Rclone).
Running ProLock on the target network is the last step of the attack, which typically starts with a spear-phishing email containing weaponized VBScripts and Office documents that deliver QakBot, oftentimes via replies in hijacked email threads.
Once on the target host, Qakbot establishes persistence and makes sure that active defenses don’t spot it by modifying Windows Registry to add its binaries on the list of Windows Defender exclusions.
“QakBot also collects a lot of information about the infected host, including the IP address, hostname, domain, and list of installed programs. The threat actor acquires a basic understanding of the network and can plan post-exploitation activities”
With tools like Bloodhound and ADFind, the threat actor profiles the environment to distribute the banking trojan to other hosts on the network. In some cases, this was done manually using PsExec, suggesting a strong connection between ProLock and QakBot operators.
Moving laterally also involved the use of remote desktop (RDP), and when this was not available on a machine, the actor ran the following batch script via PsExec to enable the remote connection:
ProLock’s toolkit includes Mimikatz post-exploitation tool for penetration testers, which is deployed through Cobalt strike software for red team engagements.
The ransomware actor sometimes relies on a vulnerability in Windows (CVE-2019-0859) that enables them to escalate privileges on compromised systems.
The file-encrypting malware lands on the host either via QakBot, downloaded with the Background Intelligent Transfer Service (BITS) from the attacker’s server or by executing a script using Windows Management Instrumentation (WMIC) on a remote host.
Despite using standard tools, ProLock attacks remain largely undetected on the network, giving them time to prepare the file encryption stage and steal data.