HQ/EMEAFind out how we can help your business
Cybercriminals are currently using a new tactic involving an MS-SQL (Microsoft SQL) honeypot to deploy the Mallox ransomware on targeted entities. The new strategy reveals the complex method cyber-attackers use to execute their malicious campaigns.
A research team established a honeypot targeted by an intrusion set that used brute-force techniques to deliver the Mallox ransomware through PureCrypter while attacking numerous Microsoft SQL vulnerabilities.
According to the investigation, two unique affiliates used various attack methods. The first was focused on exploiting susceptible assets, while the other wanted to corrupt information systems.
The researchers explained that the first attack acquired initial access to the MS-SQL server using a brute-force tactic on the “sa” account (SQL Administrator), which allowed it to compromise its target within an hour of deployment. Moreover, the attacker continued to use brute force throughout the monitoring period, indicating that the hackers were dedicated to completing their operation.
The Mallox ransomware operators used various strategies to exploit susceptible entry points.
The research uncovered that the Mallox ransomware operators executed various exploitation attempts. The perpetrators utilised multiple tactics, such as enabling particular options, building assemblies, and executing commands through xp_cmdshell and Ole Automation Procedures.
Additionally, the payloads used by these actors corresponded to PureCrypter, a .NET loader that executed the Mallox ransomware. PureCrypter served as Malware-as-a-Service that uses multiple evasion strategies to bypass detection and avoid analysis.
The Mallox ransomware is a malware-as-a-service operation that distributes malware and has been operational since 2021. The ransomware gang employs a two-stage extortion technique that threatens to reveal stolen data while encrypting it simultaneously.
Researchers emphasise the importance of affiliates in the Mallox operation, as these entities also utilise various strategies and demand ransoms. Furthermore, this investigation raises concerns about the hosting company Xhost Internet, which is linked to AS208091 and has previously been associated with ransomware activities.
Still, there are no official links that would prove these cybercriminal activities since the involvement of these operators in previous instances of ransomware compromise and the longevity of the IP address monitoring still lack evidence.
Researchers plan to continue monitoring and investigating these instances to find more concrete proof that the campaign was attributed to a specific cybercriminal group.
