TargetCompany Ransomware Group AKA Mallox: A Rapid Evolution

The TargetCompany ransomware group, first identified in June 2021, garnered its name due to its distinctive practice of appending the names of the targeted organizations to encrypted files. Over time, the group has exhibited a dynamic evolution, frequently changing encryption algorithms, decryptor characteristics, and file name extensions.

Early iterations of TargetCompany were characterized by a “.onion” contact site for negotiation and the delivery of ransom notes titled “How to decrypt files.txt.” In contrast, the group’s more recent variants have abandoned this nomenclature. Notably, during the mid- to late-2022 period, TargetCompany adopted the extension “.mallox” for its encrypted files. The group’s encryption methodology advanced, incorporating Chacha20, Curve 25519, and AES-128 algorithms.

Moreover, TargetCompany expanded its activities by establishing a data leak site known as “Mallox” and altering its ransom notes to “HOW TO RECOVER!!.txt.”

Malicious activity by TargetCompany targeting vulnerable SQL servers has surged 174% compared to 2022 reports PaloAlto and shows no sign of slowing down. However it’s important to note, that this figure is in line with the general surge in ransomware attacks in 2023.

The TargetCompany ransomware group’s evolution, affiliations, and modus operandi reveal a threat actor that continuously adapts and expands its operations, posing significant challenges to organizations and cybersecurity professionals. Understanding the group’s tactics and affiliations is crucial for developing effective mitigation and response strategies to counter their threats.

In 2022 Avast released a decryption tool to decrypt data encrypted by TargetCompany Ransomware, but it is a resource intensive process.

TargetCompany’s Victimology

TargetCompany primarily focuses its attacks on vulnerable database servers. The group employs a technique known as reflective loading, which involves connecting to a specific IP address to download its malicious payload. However, the content hosted at this IP address typically remains accessible for only a brief period, often around 24 hours, complicating efforts by security analysts to conduct dynamic analysis.

Notably, in October 2022, a unique TargetCompany infection case came to light, featuring a distinct infection chain. This new approach involved the deployment of %mytemp%\K5ZPT7WD.exe, a malicious loader employing reflective loading. This loader connected to hxxp://80[.]66[.]75[.]25/pl-Thjct_Rfxmtgam[.]bmp to drop the Remcos backdoor payload.

TargetCompany’s Geographic and Sectoral Focus

The TargetCompany ransomware group has exhibited a diverse geographic and sectoral focus including:

1. Asian countries, with a particular emphasis on the region.
2. India.
3. Saudi Arabia.
4. Various other countries – The US has not escaped as usual with several attacks in recent months

In terms of sectors, the group has demonstrated interest in organizations operating in the following industries:

• Business Services
• Healthcare
• Finance
• Government
• Manufacturing
• Education
• Information technology
• Retail
• Transportation
• Utilities- Telecommunications.

Target Company’s Malware, Toolset & TTPs

The TargetCompany ransomware group employs a range of malware and tools throughout its operations, which have evolved over time:

• Early Variants: These earlier iterations of TargetCompany leveraged multiple malware strains, including the TargetComp ransomware, Remcos backdoor, Negasteal malware, and the Snake Keylogger malware.
• Reflective Loading: In January 2022, the group transitioned to reflective loading, a technique in which a PowerShell script downloads a .NET downloader to retrieve an encrypted payload from the group’s command-and-control (C&C) server. The payload is decrypted using XOR or inversion and executed in memory.
• Defense Evasion: TargetCompany employs a variety of tools to evade detection and hinder security measures. Notably, the group utilizes GMER and Advanced Process Termination, alongside the presence of YDArk.exe (PCHunter64) for rootkit behavior. A batch file named “killer.bat” is also deployed to terminate various services and applications.

Target Company’s Tactics, Techniques, and Procedures (TTPs)

The TargetCompany ransomware group’s operations are characterized by a set of tactics, techniques, and procedures (TTPs) that illustrate their modus operandi:

• Initial Access: TargetCompany gains initial access to victim systems through the exploitation of vulnerabilities, specifically CVE-2019-1069 and CVE-2020-0618. Additionally, the group may leverage the xp_cmdshell feature in Microsoft SQL Server for execution.
• Execution: The group employs PowerShell scripts to create and execute a script that downloads a malicious file from the C&C server.
• Persistence: TargetCompany establishes persistence through registry run keys, service manipulation, and alterations of file and directory permissions.
• Defense Evasion: To evade security measures, the group utilizes anti-antivirus techniques, rootkit behaviors, and termination of security-related processes.
• Discovery: Network scanning is employed to gather information on network connections within the compromised system. The use of Mimikatz aids in the extraction of credential information stored on the affected machine.
• Lateral Movement: TargetCompany threat actors leverage remote desktop exploitation for lateral movement within victim networks.
• Command and Control: Throughout its various iterations, TargetCompany consistently accesses a C&C server to download and deliver its ransomware payload and other components.

Target Company’s Origins & Affiliates

Target Company’s Origins

The TargetCompany ransomware group comprises members who previously operated within other ransomware groups. They parted ways with their former associates due to constraints and limitations that impeded their profit-making capabilities. These members now form the core of the TargetCompany group.

Target Company’s Affiliations and Recruitment

While TargetCompany maintains a relatively small, closed-knit structure, there is evidence of the group expanding its operations. For example, a new member known as “Mallx” was observed actively recruiting affiliates for the Mallox ransomware-as-a-service (RaaS) program on the cybercrime forum known as RAMP.

Furthermore, there are indications of potential affiliations between TargetCompany and other threat actor groups. Notable observations during monitoring revealed an attack sharing similarities with TargetCompany, which included the downloading of a PowerShell script from a C&C server linked to the BlueSky ransomware group. This suggests a potential nexus between these groups.

TargetCompany Ransomware Group’s Prescence in the Community

The TargetCompany ransomware group maintains a presence within the broader cybercriminal community, particularly through affiliations with the RAMP forum. The recruitment of affiliates for the Mallox RaaS program underscores the group’s involvement in the wider cybercrime ecosystem.

Threat Actors Related to TargetCompany

TargetCompany exhibits similarities with other threat actors, particularly those engaged in brute-force attacks against Microsoft SQL (MS SQL) Servers. Notably, the BruteSQL ransomware group shares commonalities with TargetCompany. These include the presence of highly skilled Russian-speaking members, advanced infiltration methods, and the utilization of tools such as Cobalt Strike and AnyDesk remote control through regasm.exe. The presence of the Anydesk.msi file in TargetCompany’s open directory further suggests links with these threat actors.