FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers

The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox.


– [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
– [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers (2)
– [ASEC Blog] Coin Miner Being Distributed to Vulnerable MS-SQL Servers
– [ASEC Blog] AsyncRAT Malware Being Distributed to Vulnerable MS-SQL Servers

Figure 1. Process tree

As shown in the process tree in Figure 1, the file downloaded by the MS-SQL process through cmd.exe and powershell.exe is a file built on .Net (see Figure 2), downloads and loads additional malware from a particular address. The loaded malware generates and executes a BAT file which shuts down certain processes and services, in the %temp% directory.

Figure 2. Download of additional files

Figure 3. Creation and execution of BAT file

Figure 4. Details of BAT file

The ransomware’s behavior begins by being injected into AppLaunch.exe, a normal Windows program. It attempts to delete a registry key on a certain path (see Figure 5), and executes the recovery deactivation command, and closes certain processes (see Figure 6). As shown in the figures below, the closed processes are SQL programs.

Figure 5. Registry deletion

Figure 6. Deactivation of recovery and closing of processes

When the ransomware encrypts files, files with file extensions shown in Table 1 are excluded from infection. The characteristic aspect is that it does not infect files with a file extension associated with Globeimposter and this exclusion list does not only include the same type of extensions of .FARGO .FARGO2 and .FARGO3 but also includes .FARGO4, which is thought to be a future version of the ransomware.

Table 1. Extensions excluded from infection

Table 2. Files excluded from infection

Table 3. Paths excluded from infection

Figure 7 shows a screen capture of the ransom note and the infected file on the top right in the same screen. As shown in the figure, the encrypted file gets a file name of OriginalFileName.FileExtension.Fargo3 and the ransom note is generated with the filename ‘RECOVERY FILES.txt’.

Figure 7. Ransom note and infected file

Typical attacks that target database servers (MS-SQL, MySQL servers) include brute force attacks and dictionary attacks on systems where account credentials are poorly being managed. And there may be vulnerability attacks on systems that do not have a vulnerability patch applied.

Administrators of MS-SQL servers should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks.

AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]
– Ransomware/Win.Ransom.C5153317(2022.06.02.01)
– Dropper/Win.DotNet.C5237010(2022.09.14.03)
– Downloader/Win.Agent.R519342(2022.09.15.03)
– Trojan/BAT.Disabler (2022.09.16.00)

Behavior Detection]
– Malware/MDP.Download.M1197

[IOC]
MD5

– b4fde4fb829dd69940a0368f44fca285
– c54daefe372efa4ee4b205502141d360
– 4d54af1bbf7357964db5d5be67523a7c
–41bcad545aaf08d4617c7241fe36267c

Download
– hxxp://49.235.255[.]219:8080/Pruloh_Matsifkq.png

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest
36 Comments
Inline Feedbacks
View all comments
trackback

[…] FARGO Ransomware (Mallox) est distribué aux serveurs MS-SQL vulnérables […]

trackback

[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along […]

trackback

[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along with […]

trackback

[…] FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers […]

trackback

[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along […]

trackback

[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along […]

trackback

[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along […]

trackback

[…] は常にサイバー犯罪者の攻撃の標的になっています。また、AhnLab Security Emergency Response Center (ASEC) は、脆弱な Microsoft SQL サーバーを標的とする FARGO […]

trackback

[…] current report from the safety evaluation group of AhnLab Safety Emergency Response Heart (ASEC) reveals a brand new cybercriminal exercise distributing FARGO ransomware that targets […]

trackback

[…] rapport récent de l’équipe d’analyse de la sécurité du AhnLab Security Emergency Response Center (ASEC) révèle une nouvelle activité cybercriminelle distribuant le rançongiciel FARGO qui cible […]

trackback

[…] popular ransomware programs like GlobeImposter, the FARGO ransomware is also most well-known for targeting the Microsoft SQL Server databases that are vulnerable. This ransomware has also been known as […]

trackback

[…] recent rapport van het beveiligingsanalyseteam van het AhnLab Security Emergency Response Center (ASEC) onthult een nieuwe cybercriminele activiteit die FARGO-ransomware verspreidt die zich richt […]

trackback

[…] 圖1 – 進程樹(來自:AhnLab) […]

trackback

[…] kamakailang ulat mula sa security analysis team ng AhnLab Security Emergency Response Center (ASEC) ay nagpapakita ng isang bagong aktibidad sa cybercriminal na namamahagi ng FARGO ransomware […]

trackback

[…] báo cáo gần đây từ nhóm phân tích bảo mật của Trung tâm Ứng cứu Khẩn cấp Bảo mật AhnLab (ASEC) tiết lộ một hoạt động tội phạm mạng mới phân phối ransomware FARGO […]

trackback

[…] julkaistu AhnLab Security Emergency Response Centerin (ASEC) paljastaa uuden kyberrikollisen toiminnan, joka levittää FARGO-kiristysohjelmia, jotka […]

trackback

[…] continue to face attacks. The latest campaign is spreading the Fargo strain of ransomware, according to researchers at South Korea’s AhnLab. Their report doesn’t specify how the servers are compromised. But it does say SQL Server is […]

trackback

[…] continue to face attacks. The latest campaign is spreading the Fargo strain of ransomware, according to researchers at South Korea’s AhnLab. Their report doesn’t specify how the servers are compromised. But it does say SQL Server is […]

trackback

[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along with […]

trackback

[…] popular ransomware programs like GlobeImposter, the FARGO ransomware is also most well-known for targeting the Microsoft SQL Server databases that are vulnerable. This ransomware has also been known as […]

trackback

[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]

trackback

[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]

trackback

[…] terbaru daripada pasukan analisis keselamatan Pusat Tindak Balas Kecemasan Keselamatan AhnLab (ASEC) mendedahkan aktiviti penjenayah siber baharu yang mengedarkan perisian tebusan FARGO yang […]

trackback

[…] AhnLab Security Emergency Response Center (ASEC) egy új kiberbűnözői tevékenységet tár fel FARGO ransomware terjesztésére, amely […]

trackback

[…] προειδοποίηση έρχεται σε α ανάρτηση ιστολογίου από αναλυτές στο AhnLab Security Emergency Response Center (ASEC), το οποίο […]

trackback

[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]

trackback

[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]

trackback

[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]

trackback

[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along with […]

trackback

[…] FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers […]

trackback

[…] warning is available in a weblog posting from analysts on the AhnLab Safety Emergency Response Heart (ASEC), which says that Fargo is likely […]

trackback

[…] warning is available in a blogging analysts from AhnLab Safety Emergency Response Heart (ASEC), who declare that Fargo is without […]

trackback

[…] Microsoft SQL 數據庫繼續面臨攻擊。 最新的活動正在傳播 Fargo 勒索軟件, 據韓國 AhnLab 的研究人員稱. 他們的報告沒有具體說明服務器是如何被入侵的。 但它確實說 SQL Server […]

trackback

[…] einem Bericht von Sicherheitsforschern des AhnLab Security Emergency Response Centers (ASEC) ist FARGO neben […]

trackback

[…] continue to face attacks. The latest campaign is spreading the Fargo strain of ransomware, according to researchers at South Korea’s AhnLab. Their report doesn’t specify how the servers are compromised. But it does say SQL Server is […]