A recent incident involving an MS-SQL honeypot has shed light on the sophisticated tactics employed by cyber-attackers relying on Mallox ransomware.
The honeypot, set up by the Sekoia research team, was targeted by an intrusion set utilizing brute-force techniques to deploy the Mallox ransomware via PureCrypter, exploiting various MS-SQL vulnerabilities.
Upon analyzing Mallox samples, the researchers identified two distinct affiliates using different approaches.
One focused on exploiting vulnerable assets, while the other aimed at broader compromises of information systems on a larger scale.
The attacker persisted in brute-forcing throughout the observation period, indicating a determined effort.
Exploitation attempts were observed, with distinct patterns identified.
The attacker leveraged various techniques, including enabling specific parameters, creating assemblies and executing commands via xp cmdshell and Ole Automation Procedures.
The payloads corresponded to PureCrypter, a loader developed in.
NET, which subsequently executed the Mallox ransomware.
PureCrypter, sold as a Malware-as-a-Service by a threat actor operating under the alias PureCoder, employs various evasion techniques to avoid detection and analysis.
The Mallox group, a Ransomware-as-a-Service operation distributing the namesake ransomware, has been active since at least June 2021.
The group utilizes a double extortion strategy, threatening to publish stolen data in addition to encrypting it.
The research also highlights the role of affiliates in the Mallox operation, particularly focusing on users such as Maestro, Vampire and Hiervos, who exhibit different tactics and ransom demands.
The research raises suspicions regarding the hosting company Xhost Internet, linked to AS208091, which has been associated with ransomware activity in the past.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Mon, 13 May 2024 15:30:16 +0000