
Mallox Ransomware Group Becomes A Very Active Threat
The group tracked as Mallox aka TargetCompany, Fargo and Tohnichi - tends to break into target networks through vulnerable SQL servers lately. Mallox attacks in 2023 are known to have increased by %174, compared to 2022.
Indicators of Compromise
Domains (24)
soryytlic4.nettrojan.msil.avascrypt.smhutnilior.netwww.atrikvde.xyzwfsdragon.ruwww.mewzom.onlinebulimu55t.netwww.koyesses.sitehost-host-file8.comwww.scastive.onlinenovanosa5org.orgnuljjjnuli.orgpotunulit.orgwww.moldstones.comwww.domight.livewww.merop.onlinewww.rtivxam.xyzmimikatzlog.smwww.notbokin.onlinewww.markmarket.live+4 moreHashes (219)
c9f989c41d951b7cf7de38c98495babf9740151b39e7fdf155b6dbe71f7bcaed5e77421dcde6cb34e06934a852880d019929ad4e651fa2efb001fc59208ab90bd7a618884d50d6d5873a2a631d05ad84bec9f7e8980ea1789565f4a365e180413383e08327505da467a55676d599fc54e101cecb22b3bd6febfa21ba5dab303122099a7ec3bca3b74f6525e3cba9eb931ed649fabfc5f77e804904893bc700ab585402b6eed05caef1c5de03a9562c5e0a201db9c2768224fb049a2c3844733b01d91331e2ca16433df7b2062f0fe8b5c6bc93c6eb02bcaef8c7c54fc25c5bdcf08f778b362fab7243cd7266a8b4f2f8d75195fbfde1ed443a588cf42249b76a9326209a165cef9d04ad89582811842bcc2b22dd4aca7dd0663f5e52f7e8a0eac54dd040e2609546fca263f2c2753802ff57e7c62d5e9ccfa04bdb1ae9dc058440d321aa17d0600b3ca0ab04cb9ad9670dcb82aa54a6526d35fee8ed1e63a1abbb29d2db2acb3f5e49b66aacdd55605300ab06aa88681158c3d62c00578b2fb9c2bd0e84e8b281f31e822549e6ea506689fd4033e429aa040e2a3d83c09936f39188511ae2a855ec5dcb74c0970f88249cc4402ce3e2672cff4144b325346f0b253967c99570b9d6b85bf349744e64167b6d71a2330ee5ab5b64ee9b6d01f0789e0e97696407c12ad7c60c4b6f1e70fa+199 moreIPv4 (22)
80.66.75.11691.243.44.14291.243.44.8580.66.75.3780.66.75.2581.161.229.143193.106.191.14191.243.44.4291.243.44.101136.144.41.15291.243.44.30120.27.96.11245.139.105.17180.66.75.3685.208.136.14880.66.75.9891.243.44.10522.9.14.322.6.2.149.235.255.219+2 moreCVEs (3)
CVE-2020-0618CVE-2019-1068CVE-2019-1069Notes
<span id="docs-internal-guid-2ca3d89c-7fff-f8fc-2824-5f532c29ce15"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">CONCLUSIONS</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">How to Use SOCRadar for Detecting Ransomware Attacks Early?</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">The cyber threat intelligence campaign strategic tactical operational service offered as SOCRadar Unified protects from ransomware attacks with the following items.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">SOCRadar Attack Surface Management module discovers</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> and tracking your assets on the Internet:</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">- Making an inventory of digital assets open to the Internet,</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">- Critical port notification,</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">- 0-Day vulnerability detection,</span></p><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://socradar.io/suites/cyber-threat-intelligence/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; text-decoration-line: underline; vertical-align: baseline;"> SOCRadar ThreatFusion Module</span></a><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> provides to detect intelligence on current cyber events:</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">- Vulnerability Tracking with internal/external systems and applications for vulnerabilities notifications,</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">- Integration of IoCs used by threat actors into security devices, </span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">- Integration to detect and block phishing domains used by ransomware groups for phishing purposes,</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">- With the help of country-based and sector-based detections for ransomware attacks, sending threat-sharing notifications to companies that may be affected by these attacks can enable them to take action.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Active monitoring of threat actors,</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Threat sharing about ransomware attacks actively informs security personnel.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">We are analyzing suspicious files with the Threat Analysis module.</span></p><br></span>
Mitigation
<div><span style="font-size: 14px;"><b>MITIGATIONS:</b></span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;"><b>Educate employees: </b>Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;"><b>Implement secure password policy and use strong passwords</b>: Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;"><b>Enable Multi-Factor Authentication (MFA):</b> Organizations should enable Multi-Factor Authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;"><b>Update and patch systems: </b>Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;"><b>Implement backup and disaster recovery:</b> Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.</span></div><div><br></div>