Oracle DBS Job Scheduler Exploited for Elons Ransomware Deployment

Published Date: September 23, 2025
Category: ShadowOpsIntel
Share:

In September 2025, a targeted ransomware attack attributed to the Elons strain (a latest variant of Proxima / Black Shadow) exploited the Oracle Database Scheduler’s External Jobs functionality to gain initial access, execute malicious payloads, and ultimately encrypt a critical database server. The attack showcases how misconfigured or exposed enterprise applications, especially database components, can be exploited for full-system compromise.

Severity: High

Threat Details

1. Initial Access

    • Vector: Misconfigured or exposed Oracle DBMS Scheduler (via extjobo.exe)
    • Method: The attacker gained a foothold by brute-forcing or leveraging valid credentials to execute jobs via the Oracle job scheduler, allowing arbitrary command execution on the host.

    2. Execution

        • extjobo.exe was used to
          • Create malicious batch files (test3.bat, ngr.bat, tfod.cmd)
          • Execute Base64-encoded PowerShell commands to gather system info and download payloads
        • Reverse shell payloads were retrieved from C2 server 80.94.95[.]227
        • Initial file: tfod.cmd, followed by ngr.bat, used to launch further stages.

        3. Persistence, Lateral Movement & Privilege Escalation

        • Ngrok tunnel established for encrypted RDP access.
        • Local account Admine$ created with administrative privileges.
        • Scheduled task “Windows Update BETA” configured to auto-execute ransomware (win.exe).
        • Process Hacker (renamed PT.exe) used for credential theft and token manipulation. Successful escalation allowed impersonation of an admin account.

        4. Ransomware Deployment

        • Payload: win.exe ransomware binary placed in C:\PerfLogs\
        • Artifacts:
          • Files renamed with .rnd.Elons extension
          • Ransom note Elons_Help.txt
          • Log file generated: mcv.dll containing encryption start and end times
        • Cleanup:
          • ss.exe executed post-encryption to delete traces, tasks, and payloads
          • RDP tunnel process (ngrok.exe) disabled via registry tampering

        Recommendations

        1. Disable Oracle External Jobs (extjobo.exe) unless strictly required. If needed, restrict usage with access controls and auditing.
        2. Harden Oracle SYSDBA/SYSOPER accounts: enforce strong password policies, disable default accounts, and require multi-factor authentication.
        3. Regularly patch Oracle Database services to mitigate privilege escalation and remote execution flaws.
        4. Restrict RDP access: disable where not required, enforce VPN + MFA if necessary.
        5. Monitor and alert on suspicious account creations (e.g., “Admine$”).
        6. Monitor scheduled tasks for anomalies (e.g., “Windows Update BETA”).
        7. Watch for tools like Process Hacker, Ngrok, and Rclone and enforce application allowlisting.
        8. Block the IOCs at their respective controls
          https://www.virustotal.com/gui/collection/30435368ec68898bb77b78ad2b1bd695520d5ffa5631316020379348db565851/iocs

        Source:

        • https://labs.yarix.com/2025/09/elons-proxima-black-shadow-related-ransomware-attack-via-oracle-dbs-external-jobs/

        Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

        No related posts found.

        Talk to an expert