Ransomware Spotlight: TargetCompany
Top affected countries and industries
according to Trend Micro data
Targeted regions and industries
according to TargetCompany ransomware’s leak site
Infection chain and techniques
- TargetCompany has been observed to use CVE-2019-1069 and CVE-2020-0618, remote code execution (RCE) vulnerabilities that allow attackers to execute arbitrary code.
- The group possibly also leverages remote execution via the xp_cmdshell feature in Microsoft SQL Server.
- The latest variant of TargetCompany ransomware, Xollam, executed a spam campaign that proved to be successful in delivering malware using OneNote malicious files as an initial access technique to gain access to its victim’s system.
TargetCompany threat actors execute the following commands that create a PowerShell script. This script downloads a malicious file from the TargetCompany C&C server to execute on the target system via WMIC.
Figure 10. The command TargetCompany executes to create a PowerShell script that downloads its payload from its C&C server
- Payloads of early versions of the ransomware from June 2021 were dependent on the link downloaded by the PowerShell script and could either be TargetComp ransomware, the Remcos backdoor, the Negasteal malware, or the Snake Keylogger malware.
- In January 2022, the group incorporated reflective loading, wherein the PowerShell script downloaded a .NET downloader that retrieved an encrypted payload from the group’s C&C server. The payload is decrypted through XOR or inversion and is executed in memory.
- Upon successfully gaining access to the victim’s system, attackers use tools such as GMER and Advance Process Termination to manually uninstall antivirus products on the target system.
- We also observed the presence of YDArk.exe (PCHunter64) for performing rootkit behaviors.
- We also observed TargetCompany dropping KILLAV to terminate security-related processes and services.
- The ransomware also drops a batch file named killer.bat that terminates various services and applications, including GPS-related services.
- The TargetCompany ransomware uses network scan to collect network connection information in the system.
- We also observed the use of Mimikatz to gather credential information stored in the affected machine.
- TargetCompany threat actors use RCE via remote desktop to move laterally within the network of their victims.
Command and Control
- Throughout its evolution, TargetCompany has been consistent in accessing a C&C server to download and deliver its ransomware payload and other components. In our investigation, we discovered that the Mallox C&C server was an open directory that enabled us to easily access its content and examine it. However, the group eventually switched to using an Nginx web server, which prevents threat researchers from visiting its site.This also makes it more challenging to download the group’s payload and analyze its binaries.
Figure 11. The text displayed on the Nginx web server that the TargetCompany ransomware group switched to from its initial open directory
- The ransomware then encrypts the victim's files using the ChaCha20 encryption algorithm and generates the encryption keys using a combination of Curve25519, an example of elliptic curve cryptography, and AES-128.
- The ransomware adds the following file extension to its encryptions (“.mallox,” “.exploit,” “.avast,” “.consultransom,” “.devicZz”) and drops HOW TO RECOVER !!.TXT"/"FILE RECOVERY.txt as its ransom note.
MITRE tactics and techniques
Summary of malware, tools, and exploits used
|Initial Access||Remcos backdoor|
|Advance Process Termination|
TargetCompany evolved from a rookie ransomware group to a formidable threat when it implemented reflective loading and might be joining the ranks of groups who adopt the RaaS business model to expand their profits. Our investigation of its tactics, techniques, and procedures (TTPs) reveals indications that the threat actors behind it share connections with other groups. There is enough indication that the TargetCompany ransomware continues to be an active threat in the landscape, which calls for sustained vigilance on the part of enterprises.
To protect systems against the TargetCompany ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.
Here are some best practices that organizations can adopt to defend themselves against the TargetCompany ransomware:
Audit and inventory
- Take an inventory of assets and data.
- Identify authorized and unauthorized devices and types of software.
- Audit event and incident logs.
Configure and monitor
- Manage hardware and software configurations.
- Grant admin privileges and access only when necessary to an employee’s role.
- Monitor network ports, protocols, and services.
- Activate security configurations on network infrastructure devices such as firewalls and routers.
- Establish a software allowlist that only executes legitimate applications.
Patch and update
- Conduct regular vulnerability assessments.
- Perform patching or virtual patching for operating systems and applications.
- Update software and applications to their latest versions.
Protect and recover
- Implement data protection, backup, and recovery measures.
- Enable multifactor authentication (MFA).
Secure and defend
- Employ sandbox analysis to block malicious emails.
- Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
- Discover early signs of an attack, such as the presence of suspicious tools in the system.
- Use advanced detection technologies such as those powered by AI and machine learning.
Train and test
- Regularly train and assess employees’ security skills.
- Conduct red-team exercises and penetration tests.
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can in turn help protect enterprises.
- Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before ransomware can do irreversible damage to the system.
- Trend Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.