Wednesday, December 18, 2024
HomeCyber Security NewsTargetCompany Ransomware Deploy Fully Undetectable Malware on SQL Server

TargetCompany Ransomware Deploy Fully Undetectable Malware on SQL Server

Published on

SIEM as a Service

The TargetCompany ransomware (aka Mallox, Fargo, and Tohnichi) is actively targeting the organizations that are using or running vulnerable SQL servers.

Apart from this, recently, the TargetCompany ransomware unveiled a new variant of malware along with several malicious tools for persistence and covert operations that are gaining traction rapidly.

Cybersecurity researchers at Trend Micro discovered a recent active campaign linking Remcos RAT and TargetCompany ransomware and compared to past samples, the new deployments use fully undetectable packers. 

- Advertisement - SIEM as a Service

The telemetry data and the external hunting sources provided the early samples during development. Meanwhile, researchers identified a victim subjected to this targeted technique.

Ransomware Infection chain

Similar to previous cases, the latest TargetCompany ransomware exploits weak SQL servers for initial stage deployment, aiming for persistence via diverse methods, including altering URLs or paths until Remcos RAT execution succeeds.

Infection Chain (Source – Trend Micro)

After initial attempts were stopped, threat actors turned to FUD-packed binaries. Remcos and TargetCompany ransomware’s FUD packer mirrors BatCloak’s style:-

Batch file outer layer, followed by PowerShell for decoding and LOLBins execution.

PowerShell execution of the Remcos RAT (Source – Trend Micro)

Remarkably, this variant incorporates Metasploit (Meterpreter), which is a surprising move for this group. Their usage is quite interesting, serving purposes like:-

  • Query/Add a local account
  • Deploy GMER
  • Deploy IObit Unlocker
  • Deploy PowerTool (or PowTool)

Later, Remcos RAT proceeds to its last phase, downloading and activating TargetCompany ransomware with FUD packing intact.

Document
FREE Webinar

API Security Fundamentals: How to Discover, Scan and Protect APIs

API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar

FUD Packing

An earlier wave exploiting OneNote caught the attention for its new technique involving PowLoad and CMDFile with actual payload. The ‘cmd x PowerShell loader gained popularity and was eventually adopted by TargetCompany ransomware operators in February 2022.

Activity graph (Source – Trend Micro)

The CMDFiles seemed similar initially, used by malware families like:-

  • AsyncRAT
  • Remcos
  • TargetCompany ransomware

Here the differences arise during execution since the AsyncRAT uses decompression and decryption. While the Remcos and TargetCompany loaders solely decompress the payloads.

The examination of PowerShell-related network links reveals a fresh TargetCompany ransomware variant, linked to the second version with ‘/ap.php’ C&C connection.

With the use of FUD, malware threat actors can prevent or evade the security solutions for this new technique, particularly off-the-shelf tech prone to broader threats.

However, it’s been speculated that more packers could emerge. So, early detection aids in preventing FUD packers due to their unusual coding flow.

Recommendations

Here Below we have mentioned all the recommendations:-

  • Enable firewall protection.
  • Ensure limiting access.
  • Make sure to change the default port.
  • Secure Account Management.
  • Always use strong Passwords.
  • Implement account lockout policies.
  • Frequently review and deactivate the unwanted SQL CLR assemblies.
  • Always encrypt data in transit.
  • Make sure to monitor the SQL server activity.
  • Always keep the system and installed software updated with the latest updates and patches.

IoCs

IoCs (Source – Trend Micro)

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...