Analysis Report on TargetCompany Threat Actor’s Attack Against MS-SQL Servers Using Remcos RAT
Overview
AhnLab SEcurity intelligence Center (ASEC) monitors attacks against poorly managed MS-SQL servers. TargetCompany is one of the threat actors who target account credentials that are exposed to the Internet and are vulnerable to brute force and dictionary attacks.
TargetCompany has been installing ransomware constantly for years on MS-SQL servers and mainly uses Mallox and BlueSky ransomware. ASEC had covered recently identified ransomware attack cases by Target Company through the blog post “Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)”.
TargetCompany sometimes installs ransomware after breaching MS-SQL servers without installing additional malware but other times installs a backdoor like Remcos RAT first. During the past year of monitoring, most of the malware installed on MS-SQL servers initially was Remcos RAT.
This report will provide the IoCs of the malware of TargetCompany identified during the past year.
Analysis of Attack Cases
1. Attacks Targeting MS-SQL Servers
MS-SQL servers with simple passwords and are open publicly to the external Internet are one of the main attack vectors used when targeting Windows systems. Threat actors find poorly managed MS-SQL servers and scan them before carrying out brute force or dictionary attacks to log in with admin privileges. Once the threat actors have reached this point, they then utilize various means to install malware and gain control over the infected systems.
After a threat actor logs in to an MS-SQL server with an admin account, the most common method used to install malware involves the xp_cmdshell command. Malicious commands that can even function in a Windows environment can be executed through this command. There are other various methods such as OLE Store Procedure, MS-SQL Agent Jobs, Extended Stored Procedure, and CLR Stored Procedure.
Generally, threat actors abuse PowerShell which provides various features by default upon command execution; PowerShell can download and execute malware from external sources with a simple command. TargetCompany also used PowerShell in the early days to install malware.
Figure 1. Malware installed using a PowerShell command
