{ "name": "Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns", "slug": "mallox-ranomware-affiliate-leverages-purecrypter-in-ms-sql-exploitation-campaigns", "description": "A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.", "published": "2024-05-14T16:03:51+00:00", "created_at": "2024-05-14T16:03:51+00:00", "modified_at": "2024-05-14T16:30:08+00:00", "created_at_opencti": "2024-05-14T16:03:51+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-05-09", "2024-05-10", "2024-05-14", "as208091", "bitcoin", "clr sqlshell", "link http", "maestro", "mallox", "mallox raas", "mssql", "mssql server", "plugx", "powershell", "purecrypter", "ransom", "shutdown", "sqlshell", "trigona", "unsafe", "xollam" ], "related_entities": { "observables": [ { "id": "", "name": "80.66.76.251" }, { "id": "", "name": "87.251.75.92" }, { "id": "", "name": "80.66.75.44" }, { "id": "", "name": "91.215.85.142" }, { "id": "", "name": "e92f5d73a8cb1aa132602d3f35f2c2005deba64df99dcfff4e2219819ab3fffd" }, { "id": "", "name": "19005bf424024b22edaae18bf1da55ea05092f906a19aee7b86e9624cc9fa34e" }, { "id": "", "name": "dd41f029f28c03067bb392ec99f085d84ce02f84102f948782fda9e69a835b51" }, { "id": "", "name": "29256d84f25518007da05dba434aee3b20260817809f8407a7ac6d97b3ed81de" }, { "id": "", "name": "0772ab3066dbc9863f415f505e3a136266d46d9c8889646b3c3720c44d4ced79" }, { "id": "", "name": "04ba9dd2d3127511af52e1be3015e0424491cfb2133f90f8b5b5cac2e33166d4" } ], "malware": [ { "id": "f2cc8f56-e60b-4962-ab35-1f0dfcaf2bd9", "name": "Xollam", "slug": "xollam" }, { "id": "legacy:malware:c9649853163819ce", "name": "Mallox", "slug": "mallox" }, { "id": "b704d955-05fc-48bd-8397-691183565e65", "name": "Trigona", "slug": "trigona" } ], "intrusion_sets": [ { "id": "b20efa8e-1026-48d5-b12a-11c5581a503b", "name": "Mallox", "slug": "mallox" } ], "attack_patterns": [ { "id": "444de5e0-bd7f-4700-b700-26320057dd80", "name": "T1110" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc", "name": "T1114" }, { "id": "7d03ac30-b4e0-4ef9-bb23-80667e2c8123", "name": "T1127" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "8b1be248-0f6e-4813-81d3-638fec2a733e", "name": "T1559" }, { "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54", "name": "T1547" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "31d29704-da1c-47ea-b93f-76d368813bdf", "name": "T1560" }, { "id": "fcd96dc0-500e-4354-bd97-5c65718a9004", "name": "T1562" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" }, { "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664", "name": "T1068" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Qatar" }, { "id": "", "name": "Australia" }, { "id": "", "name": "Canada" }, { "id": "", "name": "Germany" }, { "id": "", "name": "Kazakhstan" }, { "id": "", "name": "United Kingdom of Great Britain and Northern Ireland" }, { "id": "", "name": "Ukraine" }, { "id": "", "name": "United States of America" }, { "id": "", "name": "Russian Federation" }, { "id": "", "name": "Retail" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Manufacturing" } ] }, "external_refs": [ "https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/", "https://otx.alienvault.com/pulse/6643a78898555f57c75a108a" ] }