Mallox Ransomware Deployed Via MS-SQL Honeypot Attack

An instance involving a MS-SQL honeypot has shed light on the sophisticated tactics employed by cyber-attackers relying on Mallox ransomware. The honeypot, set up by researchers at Sekoia, was targeted by an intrusion set utilizing brute force techniques to deploy the Mallox ransomware via PureCrypter to exploit various MS-SQL vulnerabilities. Upon analyzing Mallox samples, the researchers identified two distinct affiliates using different approaches. One focused on exploiting vulnerable assets, while the other aimed at broader compromises of information systems on a larger scale. Exploitation attempts showed distinct patterns, including enabling specific parameters, creating assemblies, and executing commands via xpcmdshell and Ole Automation Procedures. These techniques allowed the attackers to maintain persistence and control over the compromised systems.

The payloads observed were linked to PureCrypter, a loader developed in .NET. PureCrypter, sold as Malware-as-a-Service by a threat actor known as PureCoder, employs sophisticated evasion techniques to avoid detection and analysis. Once deployed, PureCrypter executed the Mallox ransomware, which has been active since at least June 2021. Mallox uses a double extortion strategy, threatening to publish stolen data if the ransom is not paid in addition to encrypting the victim's files.

Security Officer Comments:
The research also detailed the roles of various affiliates within the Mallox operation. Affiliates such as Maestro, Vampire, and Hiervos were noted for their distinct tactics and varying ransom demands. This indicates a well-organized and distributed operation with multiple actors contributing to the spread and impact of the ransomware. Furthermore, the research raised suspicions about the hosting company Xhost Internet, linked to AS208091, which has a history of involvement in ransomware activities. Although formal links to cybercrime are not yet proven.

Suggested Corrections:


MS-SQL logs are not natively collected in a Windows event log. However, they do contain information that is useful for detecting a compromise. It is recommended to include them into the SOC perimeter. Based on MS-SQL logs:
  • Track connections to the MS-SQL server, particularly from public IP addresses. Monitor IP addresses that manage to connect after several failed authentications.
  • Check parameter changes, in particular the activation of xpcmdshell, clr or Ole Automation.
The execution of drop commands and payload execution via the MS-SQL server can be detected based on the process tree. This type of rule works very well on a honeypot, but in production it runs the risk of generating false positives linked to the use of advanced stored procedures for sysadmin or dbadmin.