AhnLab Security Emergency response Center (ASEC) has recently discovered the Mallox ransomware with the BAT file extension being distributed to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox.
The distributions include cases that use PowerShell and sqlps. The sqlps distribution was covered on the ASEC Blog before. Figure 1 below shows the AhnLab Smart Defense (ASD) log. The download URL in the detection details is identified as Tst.bat. Figure 2 is a portion of the detailed log and shows how the BAT file was downloaded. Based on this information, the process is replicated through AhnLab EDR to analyze the ransomware behaviors.
Figure 3 is an image of EDR detecting the download process and the execution history of the Mallox ransomware through commands that have been actually used. The diagram is a brief depiction of the major behaviors. Clicking the process on the left screen shows the detection reasons and behavior logs. It seems that like the threat actor, CMD was used to download the malware with the PowerShell process. The screen shows the distribution address and the save path used by the threat actor in detail.
The BAT file downloaded by the PowerShell command is run with CMD. An executable with a file name identical to that of the BAT file is created in the same path. The executable created with the name bat.exe is a normal Windows PowerShell file.
Figure 5 shows the result of the normal PowerShell file with an arbitrary file name created in Figure 4 being executed alongside an arbitrary encoded script command. The main part of Mallox is injected through process hollowing (one of the injection methods) into MSbuild.exe which is a normal Windows process. It also creates and executes the killerr.bat file in the same path.
Figure 6 shows the proof of killerr.bat being executed. True to its name, killerr.bat terminates multiple processes. It also shuts downs and deletes number of services. You can see the execution command and the ransomware’s behaviors below.
Figure 7 shows the detection screen for the ransomware behavior of MSBuild.exe after it has been executed through process hollowing. The screen shows how the decoy file was encrypted. There are also logs of volume shadow copies being deleted. Details of the encrypted document file are also recorded. Figure 8 shows the commands that block recovery using Windows features; you can check every command.
Recently, the malware types being installed on poorly managed MS-SQL database servers are starting to include the none-PE fileless type besides executables. Typical attacks that target MS-SQL database servers include brute force and dictionary attacks on systems where account credentials are poorly managed. In the case of MS-SQL servers that are targeted for attacks, there are many cases where they are installed together during the installation process of ERP and business solutions, in addition to being directly constructed as database servers.
Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. They should also use security programs such as firewalls for database servers accessible from outside to restrict access by threat actors. While infiltration incidents may occur even with all preventative measures taken, AhnLab’s EDR products can prevent recurrences of such incidents by identifying the cause through incident investigation and analysis.
- Behavior Detection
- File Detection
- URL & C2
More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.