Ransomware Spotlight: TargetCompany
We detail everything you need to know about TargetCompany, a ransomware family with different monickers, including the evolution of its attack flow as it cemented its place in the threat landscape.
View infographic of "Ransomware Spotlight: TargetCompany"
The TargetCompany ransomware was first detected in June 2021, when it was named by industry analysts after the pattern it adopted of appending its encrypted files with the name of the company it was targeting.
In an interview in January 2023, threat actors behind TargetCompany clarified that each major update of the ransomware entailed a change in the encryption algorithm and different decryptor characteristics. These are accompanied by a change in file name extensions, hence the evolution of names by which the ransomware group is known. We will discuss this evolution further in our blog entry.
TargetCompany’s earlier variants provided a “.onion” contact site for negotiations and dropped ransom notes named How to decrypt files.txt. Meanwhile, later variants of the TargetCompany ransomware no longer use the name of the targeted enterprise as file name extensions. In mid- to late 2022, the group was given the name Fargo due to the extension that it added to its encrypted files in that period. Other extensions used by the ransomware group include “.mallox,” and “.xollam.” These later variants were observed using a combination of Chacha20, Curve 25519, and AES-128 algorithms to encrypt the victim’s files.
The ransomware group eventually established a data leak site under the name Mallox, and later variants dropped ransom notes as HOW TO RECOVER!!.txt.
For the purposes of this feature and to avoid confusion, we will refer to this piece of ransomware and the group behind it as TargetCompany.
What organizations need to know about TargetCompany
The TargetCompany ransomware mostly launches attacks on vulnerable database servers. It implements reflective loading, where it connects to an IP address to download its payload. It is important to note that the contents of this IP address have been observed to only be available for approximately 24 hours, making it a challenge for threat analysts to replicate the infection for dynamic analysis.
In October 2022, our researchers caught a unique TargetCompany infection case from our internal telemetry data. This case relied on a different approach from previous infection chains and used different sets of defense evasion and reconnaissance tools, as well as remote access for execution.
We found that the aforementioned new approach entailed dropping the payload by first executing %mytemp%\K5ZPT7WD.exe, a malicious loader that employs reflective loading. The command connects to hxxp://80[.]66[.]75[.]25/pl-Thjct_Rfxmtgam[.]bmp to drop its Remcos backdoor payload.
The Remcos backdoor payload is then executed via WmiPrvSE.exe, and the payload most likely arrives by exploiting public-facing websites and domains.
More recently, TargetCompany joined the current trend in phishing that involves using malicious OneNote files as an initial access technique to gain access to victim systems.
The TargetCompany ransomware gang comprises individuals who previously worked for other ransomware groups. In the same January 2023 interview, these members said they parted ways with their previous groups due to restrictions and inflexibility, which hindered their ability to make significant profits. According to the threat actors, TargetCompany remains a small, closed group; however, a new member of the cybercrime forum RAMP, under the name Mallx, was observed recruiting affiliates for the Mallox ransomware-as-a-service (RaaS) affiliate program.
It is also possible that TargetCompany has connections with other groups. While monitoring another group’s activities, we observed an attack that shares TargetCompany’s behavior of downloading a PowerShell script from a command-and-control (C&C) remote server. In turn, this server is related to another piece of malware, the BlueSky ransomware.
Further investigation also links TargetCompany to threat actors that perform brute-force attacks on Microsoft SQL (MS SQL) Servers. Based on our research, these threat actors share several similarities with the group behind TargetCompany: Both have highly skilled Russian-speaking members who use advanced tactics to infiltrate MS SQL Servers, and both deploy Cobalt Strike and AnyDesk remote control through regasm.exe. Third, Anydesk.msi has also been observed as one of the contents of the open directory of TargetCompany’s C&C server. Notably, the linked threat actors also used this open directory.
A group known as the BruteSQL ransomware has been identified as the culprit behind these brute-force attacks on MS SQL Servers. BruteSQL is known for deploying various types of ransomware in the past, such as the GlobeImposter ransomware in 2021, the LeakTheMall ransomware in 2022, and the BlueSky ransomware in July of the same year.
We also found that one of the excluded file extensions by the TargetCompany ransomware is .Globeimposter-Alpha. Additionally, we observed BlueSky using a similar encryption algorithm as TargetCompany. The brute-force attack group that shared similar tactics to TargetCompany also uses an identical post-exploit command as the latter, the only difference being the C&C server used to download their respective payloads.
It is important to note that the piece of ransomware used by the TargetCompany actors was previously used by various other groups. In fact, the TargetCompany actors only purchased this piece of ransomware later on, after finding its foundations “impeccable.” Afterward, they then modified it to make it suitable for their operations.
Figure 1. Connections found between TargetCompany and the threat actors behind brute-force password auditing on Microsoft SQL Servers
Top affected countries and industries
according to Trend Micro data
In this section, we examine the TargetCompany ransomware’s attempts to compromise organizations since it was first reported in 2021, based on Trend Micro™ Smart Protection Network™ country, regional, and industry data. Note that this data covers only Trend customers and does not contain all victims of TargetCompany.
Our telemetry data detected attempted attacks from the TargetCompany group on Trend customers as early as March 2022. By April 2023, our detections total 269 attempted attacks.
Figure 2. A monthly breakdown of detected TargetCompany attack attempts in terms of infected machines (March 2022 – April 2023)
Source: Trend Micro™ Smart Protection Network™
TargetCompany has been observed to avoid attacking enterprises from Kazakhstan, Russia, Qatar, and Ukraine, although the group claims that its attack behaviors and patterns are not politically motivated.
Our telemetry data showed that many of the top 10 countries targeted by TargetCompany are Asian countries. Of the 269 Trend customers targeted, 250 disclosed their locations.
Figure 3. The top 10 countries from a total of 250 detected attack attempts in terms of infected machines for the TargetCompany ransomware (March 2022 – April 2023)
Source: Trend Micro Smart Protection Network
Data from customers who specified their industries showed that the ransomware group targeted enterprises in the manufacturing, retail, and telecommunications industries.
Figure 4. The top 10 Trend customer organizations that experienced the most attack attempts from threat actors behind TargetCompany. Data includes customers who specified their industry. (March 2022 – April 2023)
Source: Trend Micro Smart Protection Network
Targeted regions and industries
according to TargetCompany ransomware’s leak site
This section looks at data based on attacks recorded on the leak site of the operators behind the TargetCompany ransomware. Based on a combination of Trend's open-source intelligence (OSINT) research and investigations of the leak site, TargetCompany revealed 20 successfully infiltrated victims who refused to pay the ransom demand as of this writing. It is important to note that this figure might differ from the actual damage, especially since the leak site was only launched in November 2022, over a year since the ransomware group’s activities were first detected.
Of the total number of revealed victims in the leak site data, TargetCompany set their eyes mostly on enterprises from the Asia-Pacific region, followed by Europe and Middle East.
Figure 5. The distribution by region of Royal ransomware’s victim organizations
Sources: TargetCompany’s leak site and Trend's OSINT research
(November 2022 – May 2023)
Threat actors behind the ransomware group launched attacks on organizations mostly in India, followed by Saudi Arabia, with the gang declaring only one victim from each of the other countries specified.
Figure 6. The countries and number of attacks executed by the TargetCompany ransomware group
Sources: TargetCompany’s leak site and Trend’s OSINT research
(November 2022 – May 2023)
Majority of TargetCompany’s victim organizations were small businesses. However, a number of victims did not have their sizes specified.
Figure 7. The distribution by organization size of TargetCompany's victim organizations
Sources: TargetCompany’s leak site and Trend’s OSINT research
(November 2022 – May 2023)
Finally, among the victims identified in TargetCompany’s leak site, the gang mostly victimized enterprises from the IT, manufacturing, apparel and fashion, and automobile industries.
Figure 8. A breakdown of the industries that suffered TargetCompany ransomware attacks
Sources: TargetCompany’s leak site and Trend’s OSINT research
(November 2022 – May 2023)
Infection chain and techniques
Figure 9. The infection chain of the June 2021 TargetCompany variant
Initial Access
- TargetCompany has been observed to use CVE-2019-1069 and CVE-2020-0618, remote code execution (RCE) vulnerabilities that allow attackers to execute arbitrary code.
- The group possibly also leverages remote execution via the xp_cmdshell feature in Microsoft SQL Server.
- The latest variant of TargetCompany ransomware, Xollam, executed a spam campaign that proved to be successful in delivering malware using OneNote malicious files as an initial access technique to gain access to its victim’s system.
Execution
TargetCompany threat actors execute the following commands that create a PowerShell script. This script downloads a malicious file from the TargetCompany C&C server to execute on the target system via WMIC.
Figure 10. The command TargetCompany executes to create a PowerShell script that downloads its payload from its C&C server
- Payloads of early versions of the ransomware from June 2021 were dependent on the link downloaded by the PowerShell script and could either be TargetComp ransomware, the Remcos backdoor, the Negasteal malware, or the Snake Keylogger malware.
- In January 2022, the group incorporated reflective loading, wherein the PowerShell script downloaded a .NET downloader that retrieved an encrypted payload from the group’s C&C server. The payload is decrypted through XOR or inversion and is executed in memory.
Defense Evasion
- Upon successfully gaining access to the victim’s system, attackers use tools such as GMER and Advance Process Termination to manually uninstall antivirus products on the target system.
- We also observed the presence of YDArk.exe (PCHunter64) for performing rootkit behaviors.
- We also observed TargetCompany dropping KILLAV to terminate security-related processes and services.
- The ransomware also drops a batch file named killer.bat that terminates various services and applications, including GPS-related services.
Discovery
- The TargetCompany ransomware uses network scan to collect network connection information in the system.
- We also observed the use of Mimikatz to gather credential information stored in the affected machine.
Lateral Movement
- TargetCompany threat actors use RCE via remote desktop to move laterally within the network of their victims.
Command and Control
- Throughout its evolution, TargetCompany has been consistent in accessing a C&C server to download and deliver its ransomware payload and other components. In our investigation, we discovered that the Mallox C&C server was an open directory that enabled us to easily access its content and examine it. However, the group eventually switched to using an Nginx web server, which prevents threat researchers from visiting its site.This also makes it more challenging to download the group’s payload and analyze its binaries.
Figure 11. The text displayed on the Nginx web server that the TargetCompany ransomware group switched to from its initial open directory
Impact
- The ransomware then encrypts the victim's files using the ChaCha20 encryption algorithm and generates the encryption keys using a combination of Curve25519, an example of elliptic curve cryptography, and AES-128.
- The ransomware adds the following file extension to its encryptions (“.mallox,” “.exploit,” “.avast,” “.consultransom,” “.devicZz”) and drops HOW TO RECOVER !!.TXT"/"FILE RECOVERY.txt as its ransom note.
Figure 12. A TargetCompany ransom note
MITRE tactics and techniques
| Initial Access | Execution | Persistence | Defense Evasion | Discovery | Credential Access | Command and Control | Lateral Movement | Impact |
|---|---|---|---|---|---|---|---|---|
T1190 - Exploit Public-Facing Application | T1059.001 - Command and Scripting Interpreter: PowerShell T1047 - Windows Management Instrumentation T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1574.010 - Hijack Execution Flow: Services File Permissions Weakness T1543.003 - Windows Service | T1222.001 - Windows File and Directory Permissions Modification T1036.005 - Masquerading: Match Legitimate Name or Location T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1218 - System Binary Proxy Execution T1070.004 - Indicator Removal on Host T1562.001 - Impair Defenses: Disable or Modify Tools T1112 - Modify Registry T1620 - Reflective Code Loading T1070.004 - Indicator Removal: File Deletion | T1567 - Exfiltration Over Web Service T1082 - System Language Discovery T1049 - System Network Connections Discovery | T1003.001 - OS Credential Dumping: LSASS Memory | T1071.001 - Application Layer Protocol: | T1570 - Lateral Tool Transfer | T1489 - Service Stop T1486 - Data Encrypted T1490 - Inhibit System Recovery |
Summary of malware, tools, and exploits used
| Initial Access | Remcos backdoor |
| Discovery | Network scan |
| Collection | MIMIKATZ |
| Execution | Trojan.BAT.TARGETCOMP* |
| Defense Evasion | GMER |
| Advance Process Termination | |
| YDArk |
Recommendations
TargetCompany evolved from a rookie ransomware group to a formidable threat when it implemented reflective loading and might be joining the ranks of groups who adopt the RaaS business model to expand their profits. Our investigation of its tactics, techniques, and procedures (TTPs) reveals indications that the threat actors behind it share connections with other groups. There is enough indication that the TargetCompany ransomware continues to be an active threat in the landscape, which calls for sustained vigilance on the part of enterprises.
To protect systems against the TargetCompany ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy.
Here are some best practices that organizations can adopt to defend themselves against the TargetCompany ransomware:
Audit and inventory
- Take an inventory of assets and data.
- Identify authorized and unauthorized devices and types of software.
- Audit event and incident logs.
Configure and monitor
- Manage hardware and software configurations.
- Grant admin privileges and access only when necessary to an employee’s role.
- Monitor network ports, protocols, and services.
- Activate security configurations on network infrastructure devices such as firewalls and routers.
- Establish a software allowlist that only executes legitimate applications.
Patch and update
- Conduct regular vulnerability assessments.
- Perform patching or virtual patching for operating systems and applications.
- Update software and applications to their latest versions.
Protect and recover
- Implement data protection, backup, and recovery measures.
- Enable multifactor authentication (MFA).
Secure and defend
- Employ sandbox analysis to block malicious emails.
- Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
- Discover early signs of an attack, such as the presence of suspicious tools in the system.
- Use advanced detection technologies such as those powered by AI and machine learning.
Train and test
- Regularly train and assess employees’ security skills.
- Conduct red-team exercises and penetration tests.
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can in turn help protect enterprises.
- Trend Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before ransomware can do irreversible damage to the system.
- Trend Cloud One™ – Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
The IOCs for this article can be found here. Actual indicators might vary per attack.
Trend Micro Vision One Hunting Query
Trend Vision One customers can use the following hunting query to check if their network/system is possibly affected by TargetCompany ransomware:
((processCmd:"?:*\\cmd.exe" AND objectFilePath:"*.update.ps1*") AND (objectFilePath:"*.update.ps1 & WMIC processs call create*")) OR ((processCmd:"?:*bat.exe" AND objectFilePath:"*-win -enc*")) OR (fullPath:”(*.XOLLAM OR *.MALLOX OR *.FARGO OR *.MALLAB)”)
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Cellular IoT Vulnerabilities: Another Door to Cellular Networks
Today’s Cloud and Container Misconfigurations Are Tomorrow’s Critical Vulnerabilities
The Artificial Future: Trend Micro Security Predictions for 2025
The Realities of Quantum Machine Learning