Ransomware Spotlight: TargetCompany




TargetCompany

By Trend Research

We detail everything you need to know about TargetCompany, a ransomware family with different monickers, including the evolution of its attack flow as it cemented its place in the threat landscape.

View infographic of View infographic of "Ransomware Spotlight: TargetCompany"

The TargetCompany ransomware was first detected in June 2021, when it was named by industry analysts after the pattern it adopted of appending its encrypted files with the name of the company it was targeting. 

In an interview in January 2023, threat actors behind TargetCompany clarified that each major update of the ransomware entailed a change in the encryption algorithm and different decryptor characteristics. These are accompanied by a change in file name extensions, hence the evolution of names by which the ransomware group is known. We will discuss this evolution further in our blog entry.  

TargetCompany’s earlier variants provided a “.onion contact site for negotiations and dropped ransom notes named How to decrypt files.txt. Meanwhile, later variants of the TargetCompany ransomware no longer use the name of the targeted enterprise as file name extensions. In mid- to late 2022, the group was given the name Fargo due to the extension that it added to its encrypted files in that period. Other extensions used by the ransomware group include .mallox,” and “.xollam.” These later variants were observed using a combination of Chacha20, Curve 25519, and AES-128 algorithms to encrypt the victim’s files.  

The ransomware group eventually established a data leak site under the name Mallox, and later variants dropped ransom notes as HOW TO RECOVER!!.txt.

For the purposes of this feature and to avoid confusion, we will refer to this piece of ransomware and the group behind it as TargetCompany.

What organizations need to know about TargetCompany

The TargetCompany ransomware mostly launches attacks on vulnerable database servers. It implements reflective loading, where it connects to an IP address to download its payload. It is important to note that the contents of this IP address have been observed to only be available for approximately 24 hours, making it a challenge for threat analysts to replicate the infection for dynamic analysis.

In October 2022, our researchers caught a unique TargetCompany infection case from our internal telemetry data. This case relied on a different approach from previous infection chains and used different sets of defense evasion and reconnaissance tools, as well as remote access for execution.

We found that the aforementioned new approach entailed dropping the payload by first executing %mytemp%\K5ZPT7WD.exe, a malicious loader that employs reflective loading. The command connects to hxxp://80[.]66[.]75[.]25/pl-Thjct_Rfxmtgam[.]bmp to drop its Remcos backdoor payload.

The Remcos backdoor payload is then executed via WmiPrvSE.exe, and the payload most likely arrives by exploiting public-facing websites and domains.

More recently, TargetCompany joined the current trend in phishing that involves using malicious OneNote files as an initial access technique to gain access to victim systems.

The TargetCompany ransomware gang comprises individuals who previously worked for other ransomware groups. In the same January 2023 interview, these members said they parted ways with their previous groups due to restrictions and inflexibility, which hindered their ability to make significant profits. According to the threat actors, TargetCompany remains a small, closed group; however, a new member of the cybercrime forum RAMP, under the name Mallx, was observed recruiting affiliates for the Mallox ransomware-as-a-service (RaaS) affiliate program.

It is also possible that TargetCompany has connections with other groups. While monitoring another group’s activities, we observed an attack that shares TargetCompany’s behavior of downloading a PowerShell script from a command-and-control (C&C) remote server. In turn, this server is related to another piece of malware, the BlueSky ransomware. 

Further investigation also links TargetCompany to threat actors that perform brute-force attacks on Microsoft SQL (MS SQL) Servers. Based on our research, these threat actors share several similarities with the group behind TargetCompany: Both have highly skilled Russian-speaking members who use advanced tactics to infiltrate MS SQL Servers, and both deploy Cobalt Strike and AnyDesk remote control through regasm.exe. Third, Anydesk.msi has also been observed as one of the contents of the open directory of TargetCompany’s C&C server. Notably, the linked threat actors also used this open directory.  

A group known as the BruteSQL ransomware has been identified as the culprit behind these brute-force attacks on MS SQL Servers. BruteSQL is known for deploying various types of ransomware in the past, such as the GlobeImposter ransomware in 2021, the LeakTheMall ransomware in 2022, and the BlueSky ransomware in July of the same year.

We also found that one of the excluded file extensions by the TargetCompany ransomware is .Globeimposter-Alpha. Additionally, we observed BlueSky using a similar encryption algorithm as TargetCompany. The brute-force attack group that shared similar tactics to TargetCompany also uses an identical post-exploit command as the latter, the only difference being the C&C server used to download their respective payloads.

It is important to note that the piece of ransomware used by the TargetCompany actors was previously used by various other groups. In fact, the TargetCompany actors only purchased this piece of ransomware later on, after finding its foundations “impeccable.” Afterward, they then modified it to make it suitable for their operations.

Figure 1. Connections found between TargetCompany and the threat actors behind brute-force password auditing on Microsoft SQL Servers

Top affected countries and industries
according to Trend Micro data

In this section, we examine the TargetCompany ransomware’s attempts to compromise organizations since it was first reported in 2021, based on Trend Micro™ Smart Protection Network™ country, regional, and industry data. Note that this data covers only Trend customers and does not contain all victims of TargetCompany.

Our telemetry data detected attempted attacks from the TargetCompany group on Trend customers as early as March 2022. By April 2023, our detections total 269 attempted attacks.

Figure 2. A monthly breakdown of detected TargetCompany  attack attempts in terms of infected machines (March 2022 – April 2023)
Source: Trend Micro™ Smart Protection Network™ 


TargetCompany has been observed to avoid attacking enterprises from Kazakhstan, Russia, Qatar, and Ukraine, although the group claims that its attack behaviors and patterns are not politically motivated.

Our telemetry data showed that many of the top 10 countries targeted by TargetCompany are Asian countries. Of the 269 Trend customers targeted, 250 disclosed their locations.

Figure 3. The top 10 countries from a total of 250 detected attack attempts in terms of infected machines for the TargetCompany ransomware (March 2022 – April 2023)
Source: Trend Micro Smart Protection Network

Data from customers who specified their industries showed that the ransomware group targeted enterprises in the manufacturing, retail, and telecommunications industries.

Figure 4. The top 10 Trend customer organizations that experienced the most attack attempts from threat actors behind TargetCompany. Data includes customers who specified their industry. (March 2022 – April 2023)
Source: Trend Micro Smart Protection Network

Targeted regions and industries
according to TargetCompany ransomware’s leak site

This section looks at data based on attacks recorded on the leak site of the operators behind the TargetCompany ransomware. Based on a combination of Trend's open-source intelligence (OSINT) research and investigations of the leak site, TargetCompany revealed 20 successfully infiltrated victims who refused to pay the ransom demand as of this writing. It is important to note that this figure might differ from the actual damage, especially since the leak site was only launched in November 2022, over a year since the ransomware group’s activities were first detected.

Of the total number of revealed victims in the leak site data, TargetCompany set their eyes mostly on enterprises from the Asia-Pacific region, followed by Europe and Middle East.

Figure 5. The distribution by region of Royal ransomware’s victim organizations
Sources: TargetCompany’s leak site and Trend's OSINT research
(November 2022 – May 2023)

Threat actors behind the ransomware group launched attacks on organizations mostly in India, followed by Saudi Arabia, with the gang declaring only one victim from each of the other countries specified.

Figure 6. The countries and number of attacks executed by the TargetCompany ransomware group
Sources: TargetCompany’s leak site and Trend’s OSINT research
(November 2022 – May 2023)


Majority of TargetCompany’s victim organizations were small businesses. However, a number of victims did not have their sizes specified.

Figure 7. The distribution by organization size of TargetCompany's victim organizations
Sources: TargetCompany’s leak site and Trend’s OSINT research
(November 2022 – May 2023)

Finally, among the victims identified in TargetCompany’s leak site, the gang mostly victimized enterprises from the IT, manufacturing, apparel and fashion, and automobile industries.

Figure 8. A breakdown of the industries that suffered TargetCompany ransomware attacks
Sources: TargetCompany’s leak site and Trend’s OSINT research
(November 2022 – May 2023)

Infection chain and techniques

Figure 9. The infection chain of the June 2021 TargetCompany variant


Initial Access

  • TargetCompany has been observed to use CVE-2019-1069 and CVE-2020-0618, remote code execution (RCE) vulnerabilities that allow attackers to execute arbitrary code.  
  • The group possibly also leverages remote execution via the xp_cmdshell feature in Microsoft SQL Server.
  • The latest variant of TargetCompany ransomware, Xollam, executed a spam campaign that proved to be successful in delivering malware using OneNote malicious files as an initial access technique to gain access to its victim’s system.

Execution

  • TargetCompany threat actors execute the following commands that create a PowerShell script. This script downloads a malicious file from the TargetCompany C&C server to execute on the target system via WMIC.

    Figure 10. The command TargetCompany executes to create a PowerShell script that downloads its payload from its C&C server

  • Payloads of early versions of the ransomware from June 2021 were dependent on the link downloaded by the PowerShell script and could either be TargetComp ransomware, the Remcos backdoor, the Negasteal malware, or the Snake Keylogger malware. 
  • In January 2022, the group incorporated reflective loading, wherein the PowerShell script downloaded a .NET downloader that retrieved an encrypted payload from the group’s C&C server. The payload is decrypted through XOR or inversion and is executed in memory. 

Defense Evasion

  • Upon successfully gaining access to the victim’s system, attackers use tools such as GMER and Advance Process Termination to manually uninstall antivirus products on the target system.
  • We also observed the presence of YDArk.exe (PCHunter64) for performing rootkit behaviors.  
  • We also observed TargetCompany dropping KILLAV to terminate security-related processes and services.
  • The ransomware also drops a batch file named killer.bat that terminates various services and applications, including GPS-related services.

Discovery

  • The TargetCompany ransomware uses network scan to collect network connection information in the system. 
  • We also observed the use of Mimikatz to gather credential information stored in the affected machine. 

Lateral Movement

  • TargetCompany threat actors use RCE via remote desktop to move laterally within the network of their victims.

Command and Control

  • Throughout its evolution, TargetCompany has been consistent in accessing a C&C server to download and deliver its ransomware payload and other components. In our investigation, we discovered that the Mallox C&C server was an open directory that enabled us to easily access its content and examine it. However, the group eventually switched to using an Nginx web server, which prevents threat researchers from visiting its site.This also makes it more challenging to download the group’s payload and analyze its binaries.

    Figure 11. The text displayed on the Nginx web server that the TargetCompany ransomware group switched to from its initial open directory


Impact

  • The ransomware then encrypts the victim's files using the ChaCha20 encryption algorithm and generates the encryption keys using a combination of Curve25519, an example of elliptic curve cryptography, and AES-128.
  • The ransomware adds the following file extension to its encryptions (“.mallox,” “.exploit,” “.avast,” “.consultransom,” “.devicZz”) and drops HOW TO RECOVER !!.TXT"/"FILE RECOVERY.txt as its ransom note.

Figure 12. A TargetCompany ransom note

MITRE tactics and techniques

Initial AccessExecutionPersistenceDefense EvasionDiscoveryCredential AccessCommand and ControlLateral MovementImpact

T1190 - Exploit Public-Facing Application
Malware actors take advantage of vulnerable, unmanaged, or misconfigured database servers to gain a foothold on the victim’s network. Based on logs, it executes the Remcos loader via WmiPrvSE.exe

T1059.001 - Command and Scripting Interpreter: PowerShell
The TargetCompany ransomware drops and executes the following file to terminate services and processes:
%User Temp%\Vqstxggumqhfwkill$.bat

The malware then executes the following PowerShell command:
%System%\WindowsPowerShe11\v1.0\powershe11. exe " -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==

T1047 - Windows Management Instrumentation
The ransomware runs the parent process:
C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

The wmic.exe process call then creates the following process:
C:\Users\MSSQL$~1\AppData\Local\Temp\V70SP8HC.exe

T1059.003 - Command and Scripting Interpreter: Windows Command Shell
TargetCompany then uses command-line tools to alter registry or file data. It drops and executes the following file that contains commands to delete services and terminate processes:
%User Temp%\Dwghpjxmueqxokshkill$.bat

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
The ransomware then creates an autostart registry key and adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Qawjvy =  %Application Data%\Aabza\Qawjvy.exe

It drops a copy of itself to the following process:
%Application Data%\Jrpnqm\Nyovdlxx.exe

It then adds the following unknown macro registry key for persistence:
{HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunNyovdlxx = %Application Data%JrpnqmNyovdlxx.exe}

T1574.010 - Hijack Execution Flow: Services File Permissions Weakness
TargetComany then creates the following processes:
C:\Windows\SysWOW64\cacls.exe cacls

C:\Windows\system32\cmd.exe /g Administrators:f

T1543.003 - Windows Service
The ransomware also adds and runs the following services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avast ImagePath = %Windows%\avast.exe

T1222.001 - Windows File and Directory Permissions Modification
The ransomware modifies file/directory permissions using the following control access control list commands:

cacls %SystemRoot%{system32|SysWOW64}{String} /g Administrators:f

cacls %SystemRoot%{system32|SysWOW64}{String} /e /g Users:r

cacls %SystemRoot%{system32|SysWOW64}{String} /e /g Administrators:r

cacls %SystemRoot%{system32|SysWOW64}{String} /e /d SERVICE

cacls %SystemRoot%{system32|SysWOW64}{String} /e /d mssqlserver

cacls %SystemRoot%{system32|SysWOW64}{String} /e /d network service

cacls %SystemRoot%{system32|SysWOW64}{String} /e /g system:r

cacls %SystemRoot%{system32|SysWOW64}{String} /e /d mssql$sqlexpress
 
In these modifications, the unknown macros include the following:

cmd.exe
net.exe
net1.exe
mshta.exe
FTP.exe
wscript.exe
cscript.exe
WindowsPowerShell\v1.0\powershell.exe

T1036.005 - Masquerading: Match Legitimate Name or Location
The ransomware then drops its own copy to the following directories for defense evasion:
%Windows%\avast.exe
{IP Address}\admin$\avast.exe
{IP Address}\c$\avast.exe

T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
TargetCompany then injects codes into the following process:

%Windows%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

T1218 - System Binary Proxy Execution
The ransomware also injects codes into the following process:

%Windows%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

T1070.004 - Indicator Removal on Host
The ransomware then deletes %User Temp%\Vqstxggumqhfwkill$.bat after terminating and deleting services/processes.

T1562.001 - Impair Defenses: Disable or Modify Tools
Trend Micro Smart Protection Network logs show that some executed indicators of compromise (IOCs) are related to GMER including the following:

$myuserprofile$\desktop\911.exe

SHA1:539c228b6b332f5aa523e5ce358c16647d8bbe57

Tagged as PUA.Win32.GMER.YABBI
- Object: $mytemp$\kxldrpog.sysi
 
These create the following registry key:

hklm\system\currentcontrolset\services\kxldrpog

T1112 - Modify Registry
TargetCompany then deletes the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Raccine

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog\Application\
Raccine

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vssadmin.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wmic.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wbadmin.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bcdedit.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
powershell.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
diskshadow.exe
 
The registry keys above are deleted using the following command:

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f

T1620 - Reflective Code Loading
The ransomware connects to the following link to load the encrypted payload:

http://{BLOCKED}.{BLOCKED}.44.142/arx-Kbcmvm_Rrkpioky.jpg

T1070.004 - Indicator Removal: File Deletion
The ransomware attempts to delete itself through the following process:

cmd.exe /c ping {BLOCKED}.{BLOCKED}.0.1 && del "{malware path and name}" >> NUL
It encrypts files and appends the ".avast" file extension, among other extensions it has used in the ransomware’s evolution since it was first detected.

T1567 - Exfiltration Over Web Service
Royal uses rclone to exfiltrate stolen information over web service.

T1082 - System Language Discovery
It is worth noting that TargetCompany does not continue its routine if the User Default Language ID of the system is any of the following:
- Russian (0x419)
- Kazakh (0x43F)
- Belarusian (0x423)
- Ukrainian (0x422)
- Tatar (0x444)

T1049 - System Network Connections Discovery
TargetCompany uses the file HQO.exe that performs network scanning in the infected environment.

T1003.001 - OS Credential Dumping: LSASS Memory
Smart Protection Network logs show remnants linked to open-source malware program Mimikatz:

 C:\Users\Administrator\Desktop\Result.txt
- SHA1: 45941756c936fd6decf8269fc110562d91bb443d
- Detection: HS_MIMIKATZLOG.SM

T1071.001 - Application Layer Protocol:
Web Protocols Connects to the following Remcos download URL:
80[.]66[.]75[.]25/pl-Thjct_Rfxmtgam[.]bmp

Connects to the following Kill% download URL:
80[.]66[.]75[.]25:80/kill$[.]exe

T1570 - Lateral Tool Transfer
TargetCompany threat actors use RCE via remote desktop to move laterally within their victim's network.

T1489 - Service Stop
TargetCompany terminates a list of processes and services if found running.

T1486 - Data Encrypted
The ransomware avoids the encrypting files with the following strings in their file path Expand source:
- msocache
- $windows.~ws
- system volume information
- intel
- appdata
- perflogs
- programdata
- google
- application data
- tor browser
- boot
- $windows.~bt
- mozilla
- boot
- windows.old
- Windows Microsoft.NET
- WindowsPowerShell
- Windows NT
- Windows
- Common Files
- Microsoft Security Client
- Internet Explorer
- Reference
- Assemblies
- Windows Defender
- Microsoft ASP.NET
- Core Runtime
- Package
- Store
- Microsoft Help Viewer
- Microsoft MPI
- Windows Kits
- Microsoft.NET
- Windows Mail
- Microsoft Security Client
- Package Store
- Microsoft Analysis Services
- Windows Portable Devices
- Windows Photo Viewer
- Windows Sidebar
 
It also avoids encrypting files with the following strings in their file name:
- desktop.ini
- ntuser.dat
- thumbs.db
- iconcache.db
- ntuser.ini
- ntldr
- bootfont.bin
- ntuser.dat.log
- bootsect.bak
- boot.ini
- autorun.inf
- debugLog.txt
- MSBuild.exe
- RECOVERY FILES.txt
 
Additionally, it avoids encrypting files with the following extensions:
- “.FARGO3”
- “.MALLOX”
- “.exploit”
- “.avast”
- “.consultransom”
- “.devicZz"

T1490 - Inhibit System Recovery
TargetCompany then deletes volume shadow copies using the following commands:
- vssadmin delete shadows /all /quiet
- cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
- cmd.exe /c bcdedit /set {current} recoveryenabled no

Summary of malware, tools, and exploits used

Initial AccessRemcos backdoor
DiscoveryNetwork scan
CollectionMIMIKATZ
ExecutionTrojan.BAT.TARGETCOMP*
Defense EvasionGMER
Advance Process Termination
YDArk

Recommendations

<

TargetCompany evolved from a rookie ransomware group to a formidable threat when it implemented reflective loading and might be joining the ranks of groups who adopt the RaaS business model to expand their profits. Our investigation of its tactics, techniques, and procedures (TTPs) reveals indications that the threat actors behind it share connections with other  groups. There is enough indication that the TargetCompany ransomware continues to be an active threat in the landscape, which calls for sustained vigilance on the part of enterprises. 

To protect systems against the TargetCompany ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.

Here are some best practices that organizations can adopt to defend themselves against the TargetCompany ransomware: 


Audit and inventory

  • Take an inventory of assets and data.
  • Identify authorized and unauthorized devices and types of software.
  • Audit event and incident logs.

Configure and monitor

  • Manage hardware and software configurations.
  • Grant admin privileges and access only when necessary to an employee’s role.
  • Monitor network ports, protocols, and services.
  • Activate security configurations on network infrastructure devices such as firewalls and routers.
  • Establish a software allowlist that only executes legitimate applications.

Patch and update

  • Conduct regular vulnerability assessments.
  • Perform patching or virtual patching for operating systems and applications.
  • Update software and applications to their latest versions.

Protect and recover

  • Implement data protection, backup, and recovery measures.
  • Enable multifactor authentication (MFA).

Secure and defend

  • Employ sandbox analysis to block malicious emails.
  • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
  • Discover early signs of an attack, such as the presence of suspicious tools in the system.
  • Use advanced detection technologies such as those powered by AI and machine learning.

Train and test

  • Regularly train and assess employees’ security skills.
  • Conduct red-team exercises and penetration tests.

A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can in turn help protect enterprises.

  • Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before ransomware can do irreversible damage to the system.
  • Trend Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
  • Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
  • Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

Indicators of Compromise (IOCs)

The IOCs for this article can be found here. Actual indicators might vary per attack.

Trend Micro Vision One Hunting Query

Trend Vision One customers can use the following hunting query to check if their network/system is possibly affected by TargetCompany ransomware:

((processCmd:"?:*\\cmd.exe" AND objectFilePath:"*.update.ps1*") AND  (objectFilePath:"*.update.ps1 & WMIC processs call create*")) OR ((processCmd:"?:*bat.exe" AND objectFilePath:"*-win -enc*")) OR (fullPath:”(*.XOLLAM OR *.MALLOX OR *.FARGO OR *.MALLAB)”)
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Opublikowany w Ransomware Spotlight