TargetCompany Ransomware Deploy Fully Undetectable Malware on SQL Server

The TargetCompany ransomware (aka Mallox, Fargo, and Tohnichi) is actively targeting the organizations that are using or running vulnerable SQL servers.

Apart from this, recently, the TargetCompany ransomware unveiled a new variant of malware along with several malicious tools for persistence and covert operations that are gaining traction rapidly.

Cybersecurity researchers at Trend Micro discovered a recent active campaign linking Remcos RAT and TargetCompany ransomware and compared to past samples, the new deployments use fully undetectable packers. 

The telemetry data and the external hunting sources provided the early samples during development. Meanwhile, researchers identified a victim subjected to this targeted technique.

Ransomware Infection chain

Similar to previous cases, the latest TargetCompany ransomware exploits weak SQL servers for initial stage deployment, aiming for persistence via diverse methods, including altering URLs or paths until Remcos RAT execution succeeds.

After initial attempts were stopped, threat actors turned to FUD-packed binaries. Remcos and TargetCompany ransomware’s FUD packer mirrors BatCloak’s style:-

Batch file outer layer, followed by PowerShell for decoding and LOLBins execution.

Remarkably, this variant incorporates Metasploit (Meterpreter), which is a surprising move for this group. Their usage is quite interesting, serving purposes like:-

• Query/Add a local account
• Deploy GMER
• Deploy IObit Unlocker
• Deploy PowerTool (or PowTool)

Later, Remcos RAT proceeds to its last phase, downloading and activating TargetCompany ransomware with FUD packing intact.

FREE Webinar

API Security Fundamentals: How to Discover, Scan and Protect APIs

API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar

Register Now

FUD Packing

An earlier wave exploiting OneNote caught the attention for its new technique involving PowLoad and CMDFile with actual payload. The ‘cmd x PowerShell loader gained popularity and was eventually adopted by TargetCompany ransomware operators in February 2022.

The CMDFiles seemed similar initially, used by malware families like:-

• AsyncRAT
• Remcos
• TargetCompany ransomware

Here the differences arise during execution since the AsyncRAT uses decompression and decryption. While the Remcos and TargetCompany loaders solely decompress the payloads.

The examination of PowerShell-related network links reveals a fresh TargetCompany ransomware variant, linked to the second version with ‘/ap.php’ C&C connection.

With the use of FUD, malware threat actors can prevent or evade the security solutions for this new technique, particularly off-the-shelf tech prone to broader threats.

However, it’s been speculated that more packers could emerge. So, early detection aids in preventing FUD packers due to their unusual coding flow.

Recommendations

Here Below we have mentioned all the recommendations:-

• Enable firewall protection.
• Ensure limiting access.
• Make sure to change the default port.
• Secure Account Management.
• Always use strong Passwords.
• Implement account lockout policies.
• Frequently review and deactivate the unwanted SQL CLR assemblies.
• Always encrypt data in transit.
• Make sure to monitor the SQL server activity.
• Always keep the system and installed software updated with the latest updates and patches.

IoCs

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.