Mallox | |
Type of Malware | Ransomware |
Country of Origin | Unknown |
Date of initial activity | 2021 |
Associated Groups | TargetCompany |
Motivation | Financial Gain |
Attack Vectors | The group targets unsecured MS-SQL servers to infiltrate a network. |
Tools | ChaCha20, AES-128, Curve25519 |
Targeted System | Windows |
Overview
Mallox is a ransomware strain that targets Microsoft (MS) Windows systems. Active since June 2021, it is notable for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims’ networks.
Increase in Activity
In 2023, Unit 42 researchers observed a significant uptick in Mallox ransomware activities, with an increase of almost 174% compared to the previous year. The attackers continued to exploit MS-SQL servers to distribute the ransomware. Unit 42 incident responders noted that Mallox ransomware uses brute forcing, data exfiltration, and tools such as network scanners.
Encryption Techniques
This ransomware employs a combination of different cryptographic algorithms, including ChaCha20, AES-128, and Curve25519. However, a decryptor for Mallox was released on February 7, 2022, by AVAST.
Targets
Worldwide victims, across multiple industries, including manufacturing, professional and legal services, and wholesale and retail.
How they operate
Initial Access
Since its emergence in 2021, the Mallox group has consistently targeted unsecured MS-SQL servers to infiltrate networks. These attacks begin with a dictionary brute force attack, trying a list of known or commonly used passwords against the MS-SQL servers.
Attack Execution
After gaining access, the attackers use command line and PowerShell to download the Mallox ransomware payload from a remote server. The command line performs the following actions:
Download Ransomware Payload:
Downloads the ransomware payload from hxxp://80.66.75[.]36/aRX.exe, saving it as tzt.exe.
Runs a PowerShell script named updt.ps1.
Payload Actions:
Downloads another file named system.bat, saving it as tzt.bat.
The tzt.bat file creates a user named SystemHelp and enables the remote desktop (RDP) protocol.
Executes the ransomware payload tzt.exe using Windows Management Instrumentation (WMI).
Ransomware Execution
Before encryption takes place, the ransomware payload attempts multiple actions to ensure successful execution:
Stop and Remove SQL-related Services: Uses sc.exe and net.exe to stop and remove SQL-related services, enabling access to and encryption of the victim’s file data.
Delete Volume Shadows: Makes it harder to restore files once they are encrypted.
Clear Event Logs: Uses Microsoft’s wevtutil command line utility to clear the application, security, setup, and system event logs, thwarting detection and forensic analysis efforts.
Modify File Permissions: Uses the Windows built-in takeown.exe command to modify file permissions, denying access to cmd.exe and other key system processes.
Disable System Image Recovery: Prevents the system administrator from manually loading the System Image Recovery feature using bcdedit.exe.
Terminate Security-related Processes: Uses taskkill.exe to terminate security-related processes and services, evading security solutions.
Bypass Anti-ransomware Products: Attempts to bypass the Raccine anti-ransomware product, if present, by deleting its registry key.
Ransom Note
Mallox leaves a ransom note in every directory on the victim’s drive. This ransom note explains the infection and provides contact information for the attackers.
MITRE tactics and techniques
Initial Access:
- Exploit Public-Facing Application (T1190)
- External Remote Services (T1133)
Execution:
- Command and Scripting Interpreter (T1059)
- PowerShell (T1086)
Persistence:
- Service Execution (T1569)
- Scheduled Task (T1053)
Privilege Escalation:
- Exploitation for Privilege Escalation (T1068)
Defense Evasion:
- Obfuscated Files or Information (T1027)
- Deobfuscate/Decode Files or Information (T1140)
- Masquerading (T1036)
- Process Injection (T1055)
- Timestomp (T1070.003)
Credential Access:
- Credential Dumping (T1003)
- Brute Force (T1110)
Discovery:
- System Information Discovery (T1082)
- Query Registry (T1012)
- File and Directory Discovery (T1083)
Lateral Movement:
- Remote Services (T1021)
- SMB/Windows Admin Shares (T1021.002)
Collection:
- Data from Local System (T1005)
Exfiltration:
- Data Encrypted for Impact (T1486)
Impact:
- Data Encrypted for Impact (T1486)
References:
- Threat Group Assessment: Mallox RansomwareFake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
- Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
- Threat Group Assessment: Mallox Ransomware
- Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
