Recently, a client enlisted the support of Trustwave to investigate an unauthorized access incident within its internal cloud-based environment, leading to the deployment of Mallox ransomware by threat actors to its server.

A misconfiguration allowed unauthorized individuals to bypass security restrictions. This blog details the initial access method, the tools used to execute their operations, and an analysis of the Mallox ransomware. Mallox ransomware, also known as FARGO or TargetCompany, first emerged in June 2021. Initially, Mallox ransomware targeted Microsoft Windows systems by exploiting unsecured Microsoft SQL (MS SQL) servers. It has since evolved to affect Linux systems and VMware ESXi environments.

In recent years, Mallox has significantly expanded its operations. The group has transitioned to a Ransomware-as-a-Service (RaaS) model, enlisting affiliates to broaden its reach. This shift contributed to a notable increase in related activities, with a surge observed around mid-2023.

The ransomware targets a diverse range of industries, including the IT, manufacturing, retail, transportation, and government sectors, showing no preference for the size or type of organization. It affects both small businesses and large enterprises alike.

Like other ransomware types, Mallox employs a double extortion tactic by encrypting data and threatening to leak stolen information unless the ransom is paid. This strategy is particularly menacing for organizations, as the potential for data exposure adds pressure to meet ransom demands.

To further increase pressure on victims, the group operates a dedicated leak site on the dark web, publishing stolen data from those who refuse to pay the ransom. The leak site is regularly updated with new victims and their compromised data, serving as a public-shaming platform and a means to further monetize their attacks.

Figure 1. The Mallox leak site publishes data from victims who refuse to pay the ransom, pressuring organizations to pay to avoid public shaming and data exposure.

Technical Analysis

Figure 2. Mallox’s attack chain.

Initial Access

Before the compromise, the server was inadvertently accessible from the Internet and listed on Shodan, a search engine for Internet-connected devices and systems. Shodan allows users to find vulnerable systems by identifying the software or services they use, making it a tool frequently exploited by threat actors to identify potential targets.

Following this exposure, suspicious activities surged dramatically. Daily events spiked from an average of about 3,000 to over 60,000, indicating that its listing on Shodan significantly increased its vulnerability to potential attacks.

The threat actors gained initial access to the organization's internal system by brute-forcing the exposed MS SQL server. This conclusion was drawn by analyzing numerous unsuccessful authentication attempts made by various public IP addresses, indicating a systematic brute-force attack aimed at compromising the server.

Once inside, the threat actors executed a series of Invoke-WebRequest commands to download ransomware droppers, downloaders, and auxiliary batch scripts from a remote server to elevate control and further enhance the attack. They also created additional PowerShell scripts to facilitate the setup and execution of the ransomware.

Downloaders and Droppers

A variety of executables written in .NET have been discovered in the compromised server, functioning as downloaders or droppers for the Mallox ransomware. Each executable employs distinct methods to retrieve payloads, decrypt them, and subsequently execute malicious content.

Some variants of the downloader fetch an encrypted payload from a remote server and decrypt it using AES or 3DES with keys and IVs embedded within the executable itself. Meanwhile, other payloads utilize simple obfuscation techniques, such as decrementing each byte by 4, or not encrypting at all.

The downloaded payloads often use random multimedia file extensions such as .mp4, .wav, and .dat.

Figure 3. The downloader fetches a malicious payload from a remote server, decrypts it, then loads the Mallox ransomware.

Alternatively, a variant of the dropper embeds its payload in the resource section, decrypting it using AES encryption with a hardcoded plaintext key and IV before dynamically loading the Mallox ransomware payload.

Figure 4. The dropper stores its payload in the resource section.

These loaders utilized reflective loading, a technique where the malicious code is injected directly into a process’s memory. This allows the Mallox ransomware to evade traditional antivirus solutions, making it difficult for organizations to detect and defend against these attacks.

Batch Scripts

Two script files were uncovered during the investigation: Kill$-Arab.bat and Kill-Delete.bat. These scripts are designed to modify file permissions, take ownership of files, and manage services in a Windows environment, aiding in the successful deployment and maximizing the impact of the ransomware operation. Notably, Kill-Delete.bat's functions are a subset of Kill$-Arab.bat.

Common Functions

• Taking ownership and modifying permissions: Both scripts use takeown and cacls to change ownership of critical executable files (e.g., cmd.exe, net.exe, mshta.exe) and directories to the administrator's group. It also modifies file permissions to grant full control to administrators, read permissions to users, and deny access to various service accounts.

Figure 5. The batch script changes ownership of critical executables and directories.

Key Commands and Functions in Kill$-Arab.bat

• Registry modification: Deletes the AutoRun registry key, which could be used to execute scripts or commands automatically when the command processor starts.

Figure 6. Deletes autorun registry entry of command processor.

• Service deletion: Deletes services related to virtualization, antivirus, and SQL Server, effectively disabling critical system and security functionalities.

Figure 7. Deletes services that might prevent the encryption of target files.

• Task and service stopping: Stops various services and processes, including SQL Server services, Windows Defender, and other security-related processes.

Figure 8. List of target services for termination.

• Log file cleanup:

Clears all event logs and deletes Recycle Bin contents to cover tracks and remove evidence of malicious activities. The final command attempts to delete the script itself.

Figure 9. Clean up the routine of the script.

Overall, these scripts demonstrate sophisticated methods used by Mallox ransomware operators to maintain control, disable security measures, and conceal their presence.

Mallox’s Windows Version

The Windows version of Mallox ransomware encrypts files using the ChaCha20 encryption algorithm, similar to its Linux variant. It then appends the ‘.rmallox’ extension to the encrypted files. Following the encryption process, a ransom note entitled HOW TO BACK FILES.txt is dropped into each infected directory.

Mallox is designed to severely disrupt database operations by terminating key processes associated with SQL database servers. It targets processes such as sqlserv.exe, ntdbsmgr.exe, and mysql.exe. In addition, Mallox encrypts specific file types commonly used for data storage and backups, including .zip, .sql, .vhd, and .vmx.

Prior to encryption, Mallox performs a language check to avoid encrypting systems with Russian language settings. Then it alters power settings by loading PowrProf.dll and setting the system to high performance, preventing the computer from entering power-saving modes that might interrupt its operation.

Mallox elevates its privileges to SeTakeOwnershipPrivilege and SeDebugPrivilege, allowing it to take ownership of files and processes that would normally be inaccessible. This elevation helps the ransomware lock system files or terminate security software, thereby disabling defenses.

Figure 10. Mallox checks the system's language ID before proceeding with its operations.

As a typical ransomware routine, Mallox disables Recovery and Boot Protections using ShellExecuteW to run cmd.exe with commands to modify boot configuration settings via bcdedit:

bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures

bcdedit.exe /set {current} recoveryenabled no

These commands configure the system to ignore all errors during boot, preventing automatic repair mechanisms from initiating and disabling Windows’ automatic recovery feature, which is typically used to restore system stability.

Also, it removes shadow copies via vssadmin to prevent recovery efforts, eliminating backup copies that could be used to restore the system to a previous state.

Furthermore, Mallox employs additional routines to maximize the effectiveness of its ransomware operations. These tactics include registry modifications that hide shutdown, restart, and sign-out options, restricting the user’s ability to respond to the infection. By making it more difficult for users to reboot or shut down the system, Mallox ensures its ransomware remains active and harder to circumvent.

Figure 11. System lockdown techniques.

The Ransom Note

The ransom note, HOW TO BACK FILES.txt, outlines communication and payment processes using TOR for anonymity and offers free decryption for limited files to build trust and incentivize payment. Like most ransomware variants, these ransom notes are typically scattered throughout the compromised system to alert legitimate users about the incident and prompt a response.

Figure 12. Mallox ransom note

Network Communications

The ransomware gathers various system information, including total disk space, operating system version, computer name, locale information, and processor architecture and communicates with its command-and-control (C2) server.

It also interacts with an external service to obtain the public IP address through api.ipify.org.

Figure 13. Mallox gathering system information before sending it to its C2 server.

Summary

The group behind Mallox does not appear to target specific industries exclusively. Instead, it adopts an opportunistic approach, attacking a variety of sectors. Victims have been identified across industries such as manufacturing, professional services, legal services, wholesale, and retail. This broad targeting strategy indicates that Mallox is more focused on exploiting vulnerabilities wherever they exist rather than singling out particular industries.

Recommendations

Based on our investigation, the following recommendations are provided to enhance the security posture of your environment:

1. Restrict public access: Correct misconfigurations that allow public access to cloud servers. This can be achieved by configuring network security groups, firewall rules, or access control lists to restrict access to only authorized IP addresses.

2. Schedule periodic audits: Regularly audit and assess cloud environments to identify and address security gaps or misconfigurations. This should include reviewing log files such as Windows Event Logs, Microsoft IIS logs, and HTTP Error Logs.

3. Ensure services are patched: Keep all services up-to-date with the latest patches and security updates to mitigate vulnerabilities.

These measures are critical to securing the cloud environment and preventing unauthorized access or potential exploitation due to misconfigurations.

Indicators of Compromise