The Mallox ransomware group, active in targeting Indian companies since 2022, has updated its PowerShell script to circumvent Anti-Malware Scan Interface (AMSI) detection components used by antivirus (AV) software. This modification aims to evade detection during the attack chain, especially after gaining initial access through SQL or RDP.
The updated script attempts to bypass AV’s AMSI detection by patching the Windows Defender registered dll for AMSI, allowing the execution of malicious PowerShell scripts without triggering AV alerts. Outlined in the script, after importing Kernel32.dll and Amsi.dll, a shellcode is stored to overwrite the AMSI function in the registered DLL, MpOav.dll (Windows Defender’s AMSI).
By altering the permissions of MpOav.dll’s .txt section to PAGE_EXECUTE_READWRITE, the script replaces the AMSI function’s original content with shellcode, ensuring that subsequent PowerShell sessions deemed clean without AV scans. Following this modification, the script proceeds to its primary function of downloading the .NET downloader, evading AV detection. The Mallox group’s utilization of bypassing techniques highlights their adaptability when encountering AV detections.
To stay ahead of such threats, users are advised to keep abreast of evolving bypassing techniques employed by threat actors. Employing reputable security products like K7 Total Security, which actively detects and mitigates such techniques, is essential to safeguard devices in the current threat landscape. The K7 Labs team continually updates its product to combat the latest threats, emphasizing the importance of staying vigilant and using reliable security measures.
- Mallox Ransomware Adapts with AMSI Bypass for Covert Attacks