“Unveiling the Mallox Ransomware Attack: Exposed Data and Encryption Tactics”

Short Summary:

Trustwave investigated an unauthorized access incident leading to the deployment of Mallox ransomware in a client’s cloud-based environment. The attack exploited a misconfiguration that allowed unauthorized access, resulting in significant data encryption and threats of data leaks. Mallox ransomware has evolved to target various industries and employs double extortion tactics to pressure victims into paying ransoms.

Key Points:

  • Incident involved unauthorized access to a cloud-based environment.
  • Mallox ransomware, also known as FARGO, first emerged in June 2021.
  • Initially targeted Microsoft SQL servers but has since expanded to Linux and VMware ESXi systems.
  • Operates on a Ransomware-as-a-Service (RaaS) model, increasing its reach and activities.
  • Employs double extortion tactics by encrypting data and threatening to leak stolen information.
  • Utilizes a dedicated leak site on the dark web to pressure victims.
  • Initial access gained through brute-forcing an exposed MS SQL server.
  • Employs various downloaders and droppers to execute ransomware.
  • Utilizes sophisticated batch scripts to modify file permissions and disable security measures.
  • Encrypts files using the ChaCha20 algorithm and appends ‘.rmallox’ extension.
  • Targets a wide range of industries, adopting an opportunistic approach.
  • Recommendations include restricting public access and conducting periodic audits.

MITRE ATT&CK TTPs – created by AI

  • Initial Access (T1078)
    • Brute-force attacks on exposed MS SQL servers.
  • Execution (T1203)
    • Use of batch scripts to execute commands for ransomware deployment.
  • Persistence (T1547)
    • Modification of registry keys to maintain persistence.
  • Privilege Escalation (T1068)
    • Elevation of privileges to take ownership of files and processes.
  • Defense Evasion (T1218)
    • Reflective loading to evade antivirus detection.
  • Impact (T1486)
    • Data encryption and threat of data leaks to pressure victims.

Recently, a client enlisted the support of Trustwave to investigate an unauthorized access incident within its internal cloud-based environment, leading to the deployment of Mallox ransomware by threat actors to its server.

A misconfiguration allowed unauthorized individuals to bypass security restrictions. This blog details the initial access method, the tools used to execute their operations, and an analysis of the Mallox ransomware. Mallox ransomware, also known as FARGO or TargetCompany, first emerged in June 2021. Initially, Mallox ransomware targeted Microsoft Windows systems by exploiting unsecured Microsoft SQL (MS SQL) servers. It has since evolved to affect Linux systems and VMware ESXi environments.

In recent years, Mallox has significantly expanded its operations. The group has transitioned to a Ransomware-as-a-Service (RaaS) model, enlisting affiliates to broaden its reach. This shift contributed to a notable increase in related activities, with a surge observed around mid-2023.

The ransomware targets a diverse range of industries, including the IT, manufacturing, retail, transportation, and government sectors, showing no preference for the size or type of organization. It affects both small businesses and large enterprises alike.

Like other ransomware types, Mallox employs a double extortion tactic by encrypting data and threatening to leak stolen information unless the ransom is paid. This strategy is particularly menacing for organizations, as the potential for data exposure adds pressure to meet ransom demands.

To further increase pressure on victims, the group operates a dedicated leak site on the dark web, publishing stolen data from those who refuse to pay the ransom. The leak site is regularly updated with new victims and their compromised data, serving as a public-shaming platform and a means to further monetize their attacks.

Figure 1. The Mallox leak site publishes data from victims who refuse to pay the ransom, pressuring organizations to pay to avoid public shaming and data exposure.

Figure 1. The Mallox leak site publishes data from victims who refuse to pay the ransom, pressuring organizations to pay to avoid public shaming and data exposure.

 

Technical Analysis

Figure 2. Mallox’s attack chain.

Figure 2. Mallox’s attack chain.

Initial Access

Before the compromise, the server was inadvertently accessible from the Internet and listed on Shodan, a search engine for Internet-connected devices and systems. Shodan allows users to find vulnerable systems by identifying the software or services they use, making it a tool frequently exploited by threat actors to identify potential targets.

Following this exposure, suspicious activities surged dramatically. Daily events spiked from an average of about 3,000 to over 60,000, indicating that its listing on Shodan significantly increased its vulnerability to potential attacks.

The threat actors gained initial access to the organization’s internal system by brute-forcing the exposed MS SQL server. This conclusion was drawn by analyzing numerous unsuccessful authentication attempts made by various public IP addresses, indicating a systematic brute-force attack aimed at compromising the server.

Once inside, the threat actors executed a series of Invoke-WebRequest commands to download ransomware droppers, downloaders, and auxiliary batch scripts from a remote server to elevate control and further enhance the attack. They also created additional PowerShell scripts to facilitate the setup and execution of the ransomware.

Downloaders and Droppers

A variety of executables written in .NET have been discovered in the compromised server, functioning as downloaders or droppers for the Mallox ransomware. Each executable employs distinct methods to retrieve payloads, decrypt them, and subsequently execute malicious content.

Some variants of the downloader fetch an encrypted payload from a remote server and decrypt it using AES or 3DES with keys and IVs embedded within the executable itself. Meanwhile, other payloads utilize simple obfuscation techniques, such as decrementing each byte by 4, or not encrypting at all.

The downloaded payloads often use random multimedia file extensions such as .mp4, .wav, and .dat.

Figure 3. The downloader fetches a malicious payload from a remote server, decrypts it, then loads the Mallox ransomware.

Figure 3. The downloader fetches a malicious payload from a remote server, decrypts it, then loads the Mallox ransomware.

 

Alternatively, a variant of the dropper embeds its payload in the resource section, decrypting it using AES encryption with a hardcoded plaintext key and IV before dynamically loading the Mallox ransomware payload.

Figure 4. The dropper stores its payload in the resource section.

Figure 4. The dropper stores its payload in the resource section.

 

These loaders utilized reflective loading, a technique where the malicious code is injected directly into a process’s memory. This allows the Mallox ransomware to evade traditional antivirus solutions, making it difficult for organizations to detect and defend against these attacks.

Batch Scripts

Two script files were uncovered during the investigation: Kill$-Arab.bat and Kill-Delete.bat. These scripts are designed to modify file permissions, take ownership of files, and manage services in a Windows environment, aiding in the successful deployment and maximizing the impact of the ransomware operation. Notably, Kill-Delete.bat’s functions are a subset of Kill$-Arab.bat.

Common Functions

  • Taking ownership and modifying permissions: Both scripts use takeown and cacls to change ownership of critical executable files (e.g., cmd.exe, net.exe, mshta.exe) and directories to the administrator’s group. It also modifies file permissions to grant full control to administrators, read permissions to users, and deny access to various service accounts.

Figure 5. The batch script changes ownership of critical executables and directories.

Figure 5. The batch script changes ownership of critical executables and directories.

 

Key Commands and Functions in Kill$-Arab.bat

  • Registry modification: Deletes the AutoRun registry key, which could be used to execute scripts or commands automatically when the command processor starts.

Figure 6. Deletes autorun registry entry of command processor

Figure 6. Deletes autorun registry entry of command processor.

  • Service deletion: Deletes services related to virtualization, antivirus, and SQL Server, effectively disabling critical system and security functionalities.

Figure 7. Deletes services that might prevent the encryption of target files.

Figure 7. Deletes services that might prevent the encryption of target files.

  • Task and service stopping: Stops various services and processes, including SQL Server services, Windows Defender, and other security-related processes.

Figure 8. List of target services for termination.

Figure 8. List of target services for termination.

  • Log file cleanup:

Clears all event logs and deletes Recycle Bin contents to cover tracks and remove evidence of malicious activities. The final command attempts to delete the script itself.

Figure 9

Figure 9. Clean up the routine of the script.

Overall, these scripts demonstrate sophisticated methods used by Mallox ransomware operators to maintain control, disable security measures, and conceal their presence.

Mallox’s Windows Version

The Windows version of Mallox ransomware encrypts files using the ChaCha20 encryption algorithm, similar to its Linux variant. It then appends the ‘.rmallox’ extension to the encrypted files. Following the encryption process, a ransom note entitled HOW TO BACK FILES.txt is dropped into each infected directory.

Mallox is designed to severely disrupt database operations by terminating key processes associated with SQL database servers. It targets processes such as sqlserv.exe, ntdbsmgr.exe, and mysql.exe. In addition, Mallox encrypts specific file types commonly used for data storage and backups, including .zip, .sql, .vhd, and .vmx.

Prior to encryption, Mallox performs a language check to avoid encrypting systems with Russian language settings. Then it alters power settings by loading PowrProf.dll and setting the system to high performance, preventing the computer from entering power-saving modes that might interrupt its operation.

Mallox elevates its privileges to SeTakeOwnershipPrivilege and SeDebugPrivilege, allowing it to take ownership of files and processes that would normally be inaccessible. This elevation helps the ransomware lock system files or terminate security software, thereby disabling defenses.

Figure 10. Mallox checks the systems language ID before proceeding with its operations.

Figure 10. Mallox checks the system’s language ID before proceeding with its operations.

As a typical ransomware routine, Mallox disables Recovery and Boot Protections using ShellExecuteW to run cmd.exe with commands to modify boot configuration settings via bcdedit:

bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures

bcdedit.exe /set {current} recoveryenabled no

These commands configure the system to ignore all errors during boot, preventing automatic repair mechanisms from initiating and disabling Windows’ automatic recovery feature, which is typically used to restore system stability.

Also, it removes shadow copies via vssadmin to prevent recovery efforts, eliminating backup copies that could be used to restore the system to a previous state.

Furthermore, Mallox employs additional routines to maximize the effectiveness of its ransomware operations. These tactics include registry modifications that hide shutdown, restart, and sign-out options, restricting the user’s ability to respond to the infection. By making it more difficult for users to reboot or shut down the system, Mallox ensures its ransomware remains active and harder to circumvent.

Figure 11. System lockdown techniques.

Figure 11. System lockdown techniques.

The Ransom Note

The ransom note, HOW TO BACK FILES.txt, outlines communication and payment processes using TOR for anonymity and offers free decryption for limited files to build trust and incentivize payment. Like most ransomware variants, these ransom notes are typically scattered throughout the compromised system to alert legitimate users about the incident and prompt a response.

Figure 12. Mallox ransom note

Figure 12. Mallox ransom note

Network Communications

The ransomware gathers various system information, including total disk space, operating system version, computer name, locale information, and processor architecture and communicates with its command-and-control (C2) server.

It also interacts with an external service to obtain the public IP address through api.ipify.org.

Figure 13. Mallox gathering system information before sending it to its C2 server.

Figure 13. Mallox gathering system information before sending it to its C2 server.

Summary

The group behind Mallox does not appear to target specific industries exclusively. Instead, it adopts an opportunistic approach, attacking a variety of sectors. Victims have been identified across industries such as manufacturing, professional services, legal services, wholesale, and retail. This broad targeting strategy indicates that Mallox is more focused on exploiting vulnerabilities wherever they exist rather than singling out particular industries.

Recommendations

Based on our investigation, the following recommendations are provided to enhance the security posture of your environment:

1. Restrict public access: Correct misconfigurations that allow public access to cloud servers. This can be achieved by configuring network security groups, firewall rules, or access control lists to restrict access to only authorized IP addresses.

2. Schedule periodic audits: Regularly audit and assess cloud environments to identify and address security gaps or misconfigurations. This should include reviewing log files such as Windows Event Logs, Microsoft IIS logs, and HTTP Error Logs.

3. Ensure services are patched: Keep all services up-to-date with the latest patches and security updates to mitigate vulnerabilities.

These measures are critical to securing the cloud environment and preventing unauthorized access or potential exploitation due to misconfigurations.

Indicators of Compromise

Downloaders

6PYADPZW.exe

ccf817dcd04c768f8d2def4e4e393375

c5d11d6d9036a7a500242fb080f5a1600cba4c4a639d516ee7b1a6b7e185e0db

8UDR7AZ1.exe

9d1a08093886cb0b887bec36c3876a9d

7162415a7e65c042589e67ad9246d0dca89447693b4e92d0f4beca011e1ad4c4

GYIUCWUH.exe

e359ec4832daa9c0d5868ffa1d58e9bd

ae2030f9b43c5bb039b219327391fda049be38fe092df02f3bbc1832f25a764c

KRIYTA2E.exe

00db5602ec3b7ebd4299064aedd21733

89302b545705212059fb591aeea54b1de8f63f0b7fa2b83e16ac7be94421cefa

SHH8A94U.exe

c1dfc103a9d04db26640cd1a461702ae

eb2e795dd56f6ed38b964d6a2d75cbe0c05c4ad8e66786cdbe6ac51c1582499a

VFUJTG9Q.exe

fb9bd9ed8e1fb782123a9614d7d46483

e657103f40f61395147f31baaca9ada6efb8bfa3da83c078557e3494c2755503

XQL3KQIJ.exe

1f83080a421c95234b8a54a95e507447

972430371601ec17396e7bc7c62d3838cc95bec62bfed893a61919ac411b2bf2

Scripts

Kill$-Arab.bat

b57545cb36ef6a19fdde4b2208ebb225

445d709ea4ae38706a0cc47ffc6c100fb9a354ff1ac718d0c23415524bdfc895

Kill-Delete.bat

1726416850d3bba46eeb804fae57083d

c207a7a561ab726fb272b5abd99c4da8e927b5da788210d5dd186023c2783990

Mallox Ransomware

MD5

e98b3a8d2179e0bd0bebba42735d11b7

SHA256

e92f5d73a8cb1aa132602d3f35f2c2005deba64df99dcfff4e2219819ab3fffd

Download URLs

hxxp[://]80[.]66[.]76[.]30/Yvpvuzho[.]wav

hxxp[://]80[.]66[.]76[.]30/Yephpgs[.]wav

hxxp[://]80[.]66[.]75[.]44/Rpbbvlchy[.]mp4

hxxp[://]80[.]66[.]76[.]30/Zibgsfhbkzt[.]dat

hxxp[://]80[.]66[.]76[.]30/Vnohhowgf[.]mp4

hxxp[://]80[.]66[.]76[.]30/Fgeadmt[.]mp4

IP addresses

80[.]66[.]76[.]30

80[.]66[.]75[.]44

C2 server

91.215.85[.]142

http[://]91.215.85[.]142/QWEwqdsvsf/ap[.]php

Source: Original Post