Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Mallox (TargetCompany) – Malware

July 22, 2024
Reading Time: 33 mins read
in Malware
Mallox (TargetCompany) – Malware

Mallox

Type of Malware

Ransomware

Country of Origin

Unknown

Date of initial activity

2021

Associated Groups

TargetCompany

Motivation

 Financial Gain

Attack Vectors

The group targets unsecured MS-SQL servers to infiltrate a network.

Tools

ChaCha20, AES-128, Curve25519

Targeted System

Windows

Overview

Mallox is a ransomware strain that targets Microsoft (MS) Windows systems. Active since June 2021, it is notable for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims’ networks.
Increase in Activity
In 2023, Unit 42 researchers observed a significant uptick in Mallox ransomware activities, with an increase of almost 174% compared to the previous year. The attackers continued to exploit MS-SQL servers to distribute the ransomware. Unit 42 incident responders noted that Mallox ransomware uses brute forcing, data exfiltration, and tools such as network scanners.
Encryption Techniques
This ransomware employs a combination of different cryptographic algorithms, including ChaCha20, AES-128, and Curve25519. However, a decryptor for Mallox was released on February 7, 2022, by AVAST.

Targets

Worldwide victims, across multiple industries, including manufacturing, professional and legal services, and wholesale and retail.

How they operate

Initial Access
Since its emergence in 2021, the Mallox group has consistently targeted unsecured MS-SQL servers to infiltrate networks. These attacks begin with a dictionary brute force attack, trying a list of known or commonly used passwords against the MS-SQL servers. Attack Execution After gaining access, the attackers use command line and PowerShell to download the Mallox ransomware payload from a remote server. The command line performs the following actions: Download Ransomware Payload: Downloads the ransomware payload from hxxp://80.66.75[.]36/aRX.exe, saving it as tzt.exe. Runs a PowerShell script named updt.ps1. Payload Actions: Downloads another file named system.bat, saving it as tzt.bat. The tzt.bat file creates a user named SystemHelp and enables the remote desktop (RDP) protocol. Executes the ransomware payload tzt.exe using Windows Management Instrumentation (WMI).
Ransomware Execution
Before encryption takes place, the ransomware payload attempts multiple actions to ensure successful execution: Stop and Remove SQL-related Services: Uses sc.exe and net.exe to stop and remove SQL-related services, enabling access to and encryption of the victim’s file data. Delete Volume Shadows: Makes it harder to restore files once they are encrypted. Clear Event Logs: Uses Microsoft’s wevtutil command line utility to clear the application, security, setup, and system event logs, thwarting detection and forensic analysis efforts. Modify File Permissions: Uses the Windows built-in takeown.exe command to modify file permissions, denying access to cmd.exe and other key system processes. Disable System Image Recovery: Prevents the system administrator from manually loading the System Image Recovery feature using bcdedit.exe. Terminate Security-related Processes: Uses taskkill.exe to terminate security-related processes and services, evading security solutions. Bypass Anti-ransomware Products: Attempts to bypass the Raccine anti-ransomware product, if present, by deleting its registry key.
Ransom Note
Mallox leaves a ransom note in every directory on the victim’s drive. This ransom note explains the infection and provides contact information for the attackers.

MITRE tactics and techniques

Initial Access:
  • Exploit Public-Facing Application (T1190)
  • External Remote Services (T1133)
Execution:
  • Command and Scripting Interpreter (T1059)
  • PowerShell (T1086)
Persistence:
  • Service Execution (T1569)
  • Scheduled Task (T1053)
Privilege Escalation:
  • Exploitation for Privilege Escalation (T1068)
Defense Evasion:
  • Obfuscated Files or Information (T1027)
  • Deobfuscate/Decode Files or Information (T1140)
  • Masquerading (T1036)
  • Process Injection (T1055)
  • Timestomp (T1070.003)
Credential Access:
  • Credential Dumping (T1003)
  • Brute Force (T1110)
Discovery:
  • System Information Discovery (T1082)
  • Query Registry (T1012)
  • File and Directory Discovery (T1083)
Lateral Movement:
  • Remote Services (T1021)
  • SMB/Windows Admin Shares (T1021.002)
Collection:
  • Data from Local System (T1005)
Exfiltration:
  • Data Encrypted for Impact (T1486)
Impact:
  • Data Encrypted for Impact (T1486)
References:
  • Threat Group Assessment: Mallox RansomwareFake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
  • Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
  • Threat Group Assessment: Mallox Ransomware
  • Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
Tags: AvastMalloxMalwareMicrosoftMS SQLPowerShellRansomwareTargetCompanyWindowsWorldwide
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial