# FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers

**asec.ahnlab.com/en/39152/**

September 23, 2022

The ASEC analysis team is constantly monitoring malware distributed to unsecured MS-SQL
servers. The analysis team has recently discovered the distribution of FARGO ransomware
that is targeting unsecured MS-SQL servers. Along with GlobeImposter, FARGO is one of
the prominent ransomware that targets unsecured MS-SQL servers. In the past, it was also
called the Mallox because it used the file extension .mallox.

**– [ASEC Blog]** **[Cobalt Strike Being Distributed to Unsecured MS-SQL Servers](https://asec.ahnlab.com/en/31811/)**

**– [ASEC Blog]** **[Cobalt Strike Being Distributed to Unsecured MS-SQL Servers (2)](https://asec.ahnlab.com/en/32062/)**

**– [ASEC Blog]** **[Coin Miner Being Distributed to Unsecured MS-SQL Servers](https://asec.ahnlab.com/en/32143/)**

**[– [ASEC Blog] AsyncRAT Malware Being Distributed to Unsecured MS-SQL Servers](https://asec.ahnlab.com/en/36315/)**


-----

**Figure 1. Process tree**
As shown in the process tree in Figure 1, the file downloaded by the MS-SQL process
through cmd.exe and powershell.exe is a file built on .Net (see Figure 2), downloads and
loads additional malware from a particular address. The loaded malware generates and
executes a BAT file which shuts down certain processes and services, in the %temp%
directory.

**Figure 2. Download of additional files**

**Figure 3. Creation and execution of BAT file**

**Figure 4. Details of BAT file**
The ransomware’s behavior begins by being injected into AppLaunch.exe, a normal
Windows program. It attempts to delete a registry key on a certain path (see Figure 5), and
executes the recovery deactivation command, and closes certain processes (see Figure 6).


-----

As shown in the figures below, the closed processes are SQL programs.

Figure 5. Registry deletion

Figure 6. Deactivation of recovery and closing of processes
When the ransomware encrypts files, files with file extensions shown in Table 1 are excluded
from infection. The characteristic aspect is that it does not infect files with a file extension
associated with Globeimposter and this exclusion list does not only include the same type of
extensions of .FARGO .FARGO2 and .FARGO3 but also includes .FARGO4, which is
thought to be a future version of the ransomware.

**Table 1. Extensions excluded from infection**


-----

**Table 2. Files excluded from**

**infection**

**Table 3. Paths excluded from infection**
Figure 7 shows a screen capture of the ransom note and the infected file on the top right in
the same screen. As shown in the figure, the encrypted file gets a file name of
OriginalFileName.FileExtension.Fargo3 and the ransom note is generated with the filename
‘RECOVERY FILES.txt’.

**Figure 7. Ransom note and infected file**
Typical attacks that target database servers (MS-SQL, MySQL servers) include brute force
attacks and dictionary attacks on systems where account credentials are poorly being
managed. And there may be vulnerability attacks on systems that do not have a vulnerability
patch applied.

Administrators of MS-SQL servers should use passwords that are difficult to guess for their
accounts and change them periodically to protect the database server from brute force
attacks and dictionary attacks, and update to the latest patch to prevent any potential
vulnerability attacks.

AhnLab’s anti-malware software, V3, detects and blocks the malware using the following
aliases:

**[File Detection]**

– Ransomware/Win.Ransom.C5153317(2022.06.02.01)

– Dropper/Win.DotNet.C5237010(2022.09.14.03)


-----

– Downloader/Win.Agent.R519342(2022.09.15.03)
– Trojan/BAT.Disabler (2022.09.16.00)

**Behavior Detection]**

– Malware/MDP.Download.M1197

**[IOC]**

**MD5**

– b4fde4fb829dd69940a0368f44fca285

– c54daefe372efa4ee4b205502141d360

– 4d54af1bbf7357964db5d5be67523a7c

–41bcad545aaf08d4617c7241fe36267c

**Download**

– hxxp://49.235.255[.]219:8080/Pruloh_Matsifkq.png

**Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to**
**check related IOC and detailed analysis information.**

[Categories:Malware Information](https://asec.ahnlab.com/en/category/malware-information-en/)

[Tagged as:FARGO,](https://asec.ahnlab.com/tag/fargo/) [Mallox,](https://asec.ahnlab.com/tag/mallox/) [malware,](https://asec.ahnlab.com/en/tag/malware-en/) [MS-SQL,](https://asec.ahnlab.com/tag/ms-sql/) [Ransomware](https://asec.ahnlab.com/en/tag/ransomware-en/)


-----