The TargetCompany ransomware, also known as Mallox, Fargo, and Tohnichi, is actively targeting organizations that are running vulnerable SQL servers.
Additionally, the TargetCompany ransomware has recently introduced a new variant of malware, along with several malicious tools for maintaining persistence and conducting covert operations, which are rapidly gaining popularity.
Researchers at Trend Micro in the field of cybersecurity have identified an ongoing campaign that links Remcos RAT with the TargetCompany ransomware. In comparison to previous instances, these new deployments employ fully undetectable packers. Telemetry data and external sources for threat hunting provided early samples during the development phase. Meanwhile, researchers have identified a victim who fell prey to this targeted technique.
The Ransomware Infection Chain follows a pattern similar to previous cases, where the latest TargetCompany ransomware initially exploits weak SQL servers for deployment in the initial stage. It then aims to establish persistence through various methods, including altering URLs or paths until the execution of Remcos RAT is successful.
When initial attempts are thwarted, threat actors turn to fully undetectable (FUD) packed binaries. The FUD packer used by Remcos and TargetCompany ransomware is reminiscent of BatCloak, featuring a batch file outer layer followed by PowerShell for decoding and executing LOLBins.
Notably, this variant incorporates Metasploit (Meterpreter), which is an unexpected move by this group. Their usage of Metasploit serves various purposes, such as querying/adding a local account, deploying GMER, IObit Unlocker, and PowerTool (or PowTool). Subsequently, Remcos RAT proceeds to its final phase, downloading and activating TargetCompany ransomware while maintaining FUD packing.
FUD Packing gained attention in an earlier wave that exploited OneNote, employing the PowLoad and CMDFile technique with an actual payload. The ‘cmd x PowerShell loader’ gained popularity and was eventually adopted by TargetCompany ransomware operators in February 2022.
Although the CMDFiles initially seemed similar, they were used by different malware families like AsyncRAT, Remcos, and TargetCompany ransomware. Differences emerged during execution, as AsyncRAT employed decompression and decryption, while Remcos and TargetCompany loaders solely decompressed the payloads.
An examination of network links related to PowerShell revealed a new TargetCompany ransomware variant linked to the second version with a ‘C&C connection’ using ‘/ap.php.’
The use of FUD by malware threat actors allows them to evade security solutions, particularly off-the-shelf technologies that are susceptible to broader threats. It is speculated that more packers could emerge, so early detection is crucial for countering FUD packers due to their unconventional coding flow.
Recommendations:
- Enable firewall protection.
- Limit access to your systems.
- Change default ports for added security.
- Implement secure account management practices.
- Use strong passwords.
- Enforce account lockout policies.
- Regularly review and deactivate unwanted SQL CLR assemblies.
- Encrypt data in transit.
- Monitor SQL server activity.
- Keep your system and installed software up to date with the latest updates and patches.