Cyble – Mallox Ransomware Showing Signs Of Increased Activity

Ransomware potentially targeting organizations dealing in Critical Infrastructure

“TargetCompany” is a type of ransomware that was first identified in June 2021. The researchers named it TargetCompany ransomware because it adds the targeted company name as a file extension to the encrypted files. In September 2022, researchers identified a TargetCompany ransomware variant targeting Microsoft SQL servers and adding the “Fargo” extension to the encrypted files. TargetCompany ransomware is also known to add a “Mallox” extension after encrypting the files.

Cyble Research and Intelligence Labs (CRIL) recently observed a spike in Mallox ransomware samples. The figure below shows the statistics of Mallox Ransomware samples in the wild, indicating that the ransomware is active, spreading rapidly, and infecting users in recent weeks.

These Mallox ransomware samples are downloaded and loaded by an unknown loader. The loader further downloads Mallox ransomware from the remote server and encrypts files in the victim’s machine. Additionally, the ransomware group maintains a leak site with information related to the victims of the ransomware attacks. The figure below shows the leak site of Mallox Ransomware.

Technical Analysis

Loader analysis:

An unknown .NET-based loader downloads Mallox ransomware. Our research indicates that the loader is known to be downloading other malware families such as Agentesla, Remcos, Snake keylogger, etc. This loader usually arrives via spam email with different flavors to lure the users into downloading and executing the email attachment.

The loader acts as a downloader that downloads encrypted malicious content from the remote server, decrypts it in the loader memory, and executes it. The loader executes the malicious content in the memory without saving the actual payload in the disk to evade anti-virus detection. The loader downloads encrypted payloads with a file extension such as png, jpeg, or bmp.

The loader is 32-bit .Net executable file with the file name “Cqasdqtamip.exe” and sha265 as e3a0bbd623db2b865fc3520c8d05e8b92016af2e535f0808460295cb8435836a. Additional details are shown in the figure below.

Upon execution, the loader downloads the encrypted malicious content from the URL hxxp://80[.]66[.]75[.]98/Chseiyk.jpeg.

The figure below shows the hardcoded URL and code to download the file.

After downloading, the loader keeps the encrypted content in the memory to decrypt it. The malicious content is encrypted with the AES encryption algorithm using the key “Cwgoawrnxz”, which is hardcoded in the loader’s binary.

The figure below shows the encrypted payload in the memory and decryption key.

The loader now decrypts the payload to get the actual ransomware binary in the memory and further executes this binary to perform ransomware activities. The below Figure shows the Decrypted ransomware DLL file in the memory.

Mallox Ransomware Payload Analysis:

The downloaded and decrypted file is a 32-bit .NET-based DLL with the name “Wwxjdcapjnmuq.dll” and sha256 as b64606198c158f79287b215343d286adf959e89acb054f8f3db706f3c06f48aa.

The following figure shows additional details.

The DLL file is further obfuscated with an IntelliLock obfuscator to make malware reversal more difficult. The loader now loads the decrypted ransomware DLL as assembly using the Assembly.Load() function.

After loading DLL, the loader enumerates methods from the DLL file and creates a list of method names and objects from the loaded assembly. The loader now creates a thread pool of the methods for executing the ransomware code. The figure below shows the code to load the DLL as assembly, creating the list of methods and thread pool for executing the ransomware code.

After creating the thread pool, the loader then uses the InvokeMember() function to execute the threads for a list of previously created methods. The following figure shows the code to execute threads for the methods created from the loaded assembly.

After execution, the ransomware drops a batch file “Axfiysgodhtrlqmrgpchkiller.bat” into the temp folder and executes it. This batch file stops numerous services and programs so that associated files are encrypted without any interruption during the encryption process.

The following figure shows the contents of the batch file.

Interestingly, the ransomware also stops GPS-related programs, indicating that the ransomware could be targeting organizations dealing in the critical infrastructure sector.

The figure below shows the commands to stop running GPS-related programs.

The ransomware disables several services and stops running programs in the system. Some important services and programs are:

• Database Related Services: MSSQL, MSSQL Server, PostgreSQL, Oracle, etc.
• Backup Related Services: VSS, Veeam, etc.
• Windows Related Programs: OneDrive, Excel, Outlook, WinWord, etc.
• File Sharing and Servers Related programs: FileZilla FTP Server, Apache Tomcat Server, Microsoft Exchange Server, OpenSSH, WAMP Server, Nginx, etc.
• Business Management Software: SAP Business One, Jenkins, Redis, SVN Server, Turbo CRM, Kingdee, etc.
• Virtualization Programs and Services: VirtualBox, VMware. Etc.
• GPS Related Commands: GPSDaemon, GPSUserSvr, GPSDownSvr, GPSStorageSvr, GPSDataProcSvr, GPSGatewaySvr, etc.

Before encrypting the files, the ransomware exfiltrates system information such as Operating system version, Desktop name, etc., and sends it to the Command & Control (C&C) server using a POST request as shown below.

The ransomware then encrypts the files, appends “.Mallox” as a file extension, and drops a ransom note in the folders, as shown below.

The figure below shows the ransom note dropped on the victim system.

The ransom note also contains a private chat link for the victims to connect with the Threat Actor. The Chat page contains information such as TargetID, hard disk size, Payment Details, etc.

The TA has also provided features in their Chat page to their victims for uploading encrypted samples to test the decryption.

Conclusion

Over the last few days, we have observed increased levels of activity from the Mallox ransomware group. The ransomware group is using an unknown loader which is used for downloading and executing the ransomware. Additionally, Mallox ransomware stopped GPS-related services, indicating their targets could be organizations dealing in Operation Technology and Critical Infrastructure.

Our Recommendations 

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Safety Measures Needed to Prevent Ransomware Attacks 

• Conduct regular backup practices and keep those backups offline or in a separate network. 
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
• Refrain from opening untrusted links and email attachments without verifying their authenticity. 

Users Should Take the Following Steps After the Ransomware Attack 

• Detach infected devices on the same network. 
• Disconnect external storage devices if connected. 
• Inspect system logs for suspicious events. 

Impact And Cruciality of Ransomware 

• Loss of valuable data. 
• Loss of the organization’s reputation and integrity. 
• Loss of the organization’s sensitive business information. 
• Disruption in organization operation. 
• Monetary loss. 

MITRE ATT&CK® Techniques 

Related

Source: https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/