Mallox Ransomware: How Truesec CSIRT Fought Back

MITRE Techniques

• [T1133] External Remote Services – The Mallox actor exploited an exposed MSSQL server for initial access.
  …translated quote in English… “The Mallox threat actor is known for exploiting unsecured MSSQL servers for initial access. In this incident, the first traces of the threat actor were seen on an exposed web server running MSSQL.”
• [T1059.001] PowerShell – Dropper PowerShell scripts observed (alta.ps1).
  …translated quote in English… “for instance, one script called ‘alta.ps1’.”
• [T1003] Credential Dumping – Mimikatz used to dump credentials and obtain domain admin privileges.
  …translated quote in English… “The threat actor used Mimikatz to dump the credentials on the server they gained their initial access on. These credentials yielded the information that enabled them to access the environment as domain administrator.”
• [T1046] Network Service Scanning – netscan.exe used to map the victim network (renamed netscanold.exe).
  …translated quote in English… “the threat actor used an application called netscan.exe. The application is a legitimate tool developed by SoftPerfect. In the attack, the threat actor used version 6.2.1.0 and the file was renamed to netscanold.exe.”
• [T1136] Create Account – SystemUI created for lateral movement via system.bat.
  …translated quote in English… “The threat actor created an account called SystemUI, which was primarily used for lateral movement. The account was created with a script called system.bat.”
• [T1486] Data Encrypted for Impact – Files encrypted with .mallab extension.
  …translated quote in English… “The encrypted files have the extension .mallab.”
• [T1041] Exfiltration – Data exfiltrated using FileZilla.
  …translated quote in English… “The threat actor exfiltrates data using the legitimate software FileZilla.”