The MS-SQL honeypot incident that took place recently highlighted the sophisticated strategies used by cybercriminals that rely on the Mallox ransomware.
The honeypot, set up by the Sekoia researchers, was targeted by an intrusion set employing brute-force techniques to deploy the Mallox ransomware via PureCrypter, exploiting multiple MS-SQL vulnerabilities.
Upon analysing Mallox samples, the researchers detected two different affiliates that had different goals: one was more interested in taking advantage of vulnerabilities in the system, while the other sought larger-scale breaches of information systems.
The attack was successful within an hour of its deployment.
Throughout the monitoring period, the attacker continued to use brute-forcing, displaying an intense effort.
There were attempts at exploitation, and certain trends were found.
The attacker used a number of strategies, including enabling specific options, building assemblies, and using Ole Automation Procedures and xp cmdshell to execute commands.
The payloads linked to a.NET loader called PureCrypter, which in turn launched the Mallox ransomware.
A threat actor going by the identity PureCoder sells PureCrypter as Malware-as-a-Service.
It uses a number of evasion strategies to evade detection and analysis.
Active since at least June 2021, the Mallox group is a malware-as-a-Service organisation that spreads malware bearing the same name.
The gang employs a dual extortion tactic, both by encrypting stolen material and threatening to reveal it.
The research also emphasises the role of affiliates in the Mallox network, focusing on users with unique tactics and ransom demands including Maestro, Vampire, and Hiervos.
The research casts suspicion on AS208091, the hosting provider Xhost Internet, which has previously been linked to ransomware activities.
This Cyber News was published on www.cysecurity.news. Publication date: Tue, 14 May 2024 15:43:05 +0000