Thursday, October 10, 2024
HomeCyber Security NewsTargetCompany Ransomware Deploy Fully Undetectable Malware on SQL Server

TargetCompany Ransomware Deploy Fully Undetectable Malware on SQL Server

Published on

The TargetCompany ransomware (aka Mallox, Fargo, and Tohnichi) is actively targeting the organizations that are using or running vulnerable SQL servers.

Apart from this, recently, the TargetCompany ransomware unveiled a new variant of malware along with several malicious tools for persistence and covert operations that are gaining traction rapidly.

Cybersecurity researchers at Trend Micro discovered a recent active campaign linking Remcos RAT and TargetCompany ransomware and compared to past samples, the new deployments use fully undetectable packers. 

- Advertisement - EHA

The telemetry data and the external hunting sources provided the early samples during development. Meanwhile, researchers identified a victim subjected to this targeted technique.

Ransomware Infection chain

Similar to previous cases, the latest TargetCompany ransomware exploits weak SQL servers for initial stage deployment, aiming for persistence via diverse methods, including altering URLs or paths until Remcos RAT execution succeeds.

Infection Chain (Source – Trend Micro)

After initial attempts were stopped, threat actors turned to FUD-packed binaries. Remcos and TargetCompany ransomware’s FUD packer mirrors BatCloak’s style:-

Batch file outer layer, followed by PowerShell for decoding and LOLBins execution.

PowerShell execution of the Remcos RAT (Source – Trend Micro)

Remarkably, this variant incorporates Metasploit (Meterpreter), which is a surprising move for this group. Their usage is quite interesting, serving purposes like:-

  • Query/Add a local account
  • Deploy GMER
  • Deploy IObit Unlocker
  • Deploy PowerTool (or PowTool)

Later, Remcos RAT proceeds to its last phase, downloading and activating TargetCompany ransomware with FUD packing intact.

Document
FREE Webinar

API Security Fundamentals: How to Discover, Scan and Protect APIs

API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar

FUD Packing

An earlier wave exploiting OneNote caught the attention for its new technique involving PowLoad and CMDFile with actual payload. The ‘cmd x PowerShell loader gained popularity and was eventually adopted by TargetCompany ransomware operators in February 2022.

Activity graph (Source – Trend Micro)

The CMDFiles seemed similar initially, used by malware families like:-

  • AsyncRAT
  • Remcos
  • TargetCompany ransomware

Here the differences arise during execution since the AsyncRAT uses decompression and decryption. While the Remcos and TargetCompany loaders solely decompress the payloads.

The examination of PowerShell-related network links reveals a fresh TargetCompany ransomware variant, linked to the second version with ‘/ap.php’ C&C connection.

With the use of FUD, malware threat actors can prevent or evade the security solutions for this new technique, particularly off-the-shelf tech prone to broader threats.

However, it’s been speculated that more packers could emerge. So, early detection aids in preventing FUD packers due to their unusual coding flow.

Recommendations

Here Below we have mentioned all the recommendations:-

  • Enable firewall protection.
  • Ensure limiting access.
  • Make sure to change the default port.
  • Secure Account Management.
  • Always use strong Passwords.
  • Implement account lockout policies.
  • Frequently review and deactivate the unwanted SQL CLR assemblies.
  • Always encrypt data in transit.
  • Make sure to monitor the SQL server activity.
  • Always keep the system and installed software updated with the latest updates and patches.

IoCs

IoCs (Source – Trend Micro)

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...