The TargetCompany ransomware (aka Mallox, Fargo, and Tohnichi) is actively targeting the organizations that are using or running vulnerable SQL servers.
Apart from this, recently, the TargetCompany ransomware unveiled a new variant of malware along with several malicious tools for persistence and covert operations that are gaining traction rapidly.
Cybersecurity researchers at Trend Micro discovered a recent active campaign linking Remcos RAT and TargetCompany ransomware and compared to past samples, the new deployments use fully undetectable packers.
The telemetry data and the external hunting sources provided the early samples during development. Meanwhile, researchers identified a victim subjected to this targeted technique.
Ransomware Infection chain
Similar to previous cases, the latest TargetCompany ransomware exploits weak SQL servers for initial stage deployment, aiming for persistence via diverse methods, including altering URLs or paths until Remcos RAT execution succeeds.
After initial attempts were stopped, threat actors turned to FUD-packed binaries. Remcos and TargetCompany ransomware’s FUD packer mirrors BatCloak’s style:-
Batch file outer layer, followed by PowerShell for decoding and LOLBins execution.
Remarkably, this variant incorporates Metasploit (Meterpreter), which is a surprising move for this group. Their usage is quite interesting, serving purposes like:-
- Query/Add a local account
- Deploy GMER
- Deploy IObit Unlocker
- Deploy PowerTool (or PowTool)
Later, Remcos RAT proceeds to its last phase, downloading and activating TargetCompany ransomware with FUD packing intact.
API Security Fundamentals: How to Discover, Scan and Protect APIs
FUD Packing
An earlier wave exploiting OneNote caught the attention for its new technique involving PowLoad and CMDFile with actual payload. The ‘cmd x PowerShell loader gained popularity and was eventually adopted by TargetCompany ransomware operators in February 2022.
The CMDFiles seemed similar initially, used by malware families like:-
- AsyncRAT
- Remcos
- TargetCompany ransomware
Here the differences arise during execution since the AsyncRAT uses decompression and decryption. While the Remcos and TargetCompany loaders solely decompress the payloads.
The examination of PowerShell-related network links reveals a fresh TargetCompany ransomware variant, linked to the second version with ‘/ap.php’ C&C connection.
With the use of FUD, malware threat actors can prevent or evade the security solutions for this new technique, particularly off-the-shelf tech prone to broader threats.
However, it’s been speculated that more packers could emerge. So, early detection aids in preventing FUD packers due to their unusual coding flow.
Recommendations
- Enable firewall protection.
- Ensure limiting access.
- Make sure to change the default port.
- Secure Account Management.
- Always use strong Passwords.
- Implement account lockout policies.
- Frequently review and deactivate the unwanted SQL CLR assemblies.
- Always encrypt data in transit.
- Make sure to monitor the SQL server activity.
- Always keep the system and installed software updated with the latest updates and patches.
IoCs
