Researchers warn about a spike in attacks against poorly secured Microsoft SQL (MSSQL) Servers by a dual-ransomware gang known as Mallox. Security firm Palo Alto Networks reports a 174% increase in the number of Mallox attacks this year compared to the last half of 2022.
“The Mallox ransomware group claims hundreds of victims,” the Palo Alto researchers said in a report. “While the actual number of victims remains unknown, our telemetry indicates dozens of potential victims worldwide, across multiple industries, including manufacturing, professional and legal services, and wholesale and retail.”
MSSQL as a point of entry for ransomware attacks
The Mallox gang typically breaks into networks by compromising publicly exposed MSSQL servers that have weak credentials. The group’s favorite method is using dictionary-based brute-force attacks that use a list of known or commonly used passwords. Once inside, the attackers execute a command line and PowerShell script that pull down additional scripts and eventually the Mallox payload from a remote server and execute them on the system. Some of these files include updt.ps1, system.bat, and tzt.exe.
The system.bat script which gets renamed to tzt.bat creates a username SystemHelp and enables Remote Desktop Protocol (RDP) access for it. This gives attackers an alternative method of connecting to the machine.
The tzt.exe file, which is the Mallox payload, is executed using Windows Management Instrumentation (WMI), and it attempts to disable and remove the legitimate sc.exe and net.exe processes. It then tries to delete Volume Shadow copies to prevent data recovery and uses Microsoft’s wevtutil command-line utility to clear application, security, and system event logs to prevent forensic analysis. Additional routines involve terminating processes and services associated with security products to evade detection, bypassing the Raccine anti-ransomware program and preventing system administrators from loading the System Image Recovery feature via bcdedit.exe.
The Mallox sample analyzed by Palo Alto Networks encrypted files using the ChaCha20 algorithm and appended the .malox extension to the encrypted files. However, the attackers used other file extensions in the past including .FARGO3, .exploit, .avast, .bitenc, .xollam, as well as the victims’ names.