Cyble – Mallox Ransomware Implements New Infection Strategy

MITRE Techniques

• [T1204] User Execution – Initial infection occurs when the user clicks the attachment in the spam email. ‘The initial infection occurs once the user clicks on the attachment included in the spam email.’
• [T1140] Deobfuscate/Decode Files or Information – The batch script utilized in this case is obfuscated, employing various variables that are defined in a random sequence. ‘The batch script utilized in this case is obfuscated, employing various variables that are defined in a random sequence.’
• [T1562] Impair Defences – The PowerShell payload drops a batch script that can kill processes, stop and disable services, and delete services. ‘The batch script dropper… can kill over 600 processes…, stop over 200 services…, disable over 13 services…, and delete over 200 services.’
• [T1222] Hidden Files and Directories – The batch script copies and hides a PowerShell executable by setting hidden/system attributes. ‘attrib +s +h’
• [T1036] Masquerading – The PowerShell executable is copied and renamed (e.g., ‘ransomware.bat.exe’) to blend with legitimate files. ‘PowerShell executable (powershell.exe) to a file named “batch script name” + “.exe” … PowerShell.exe copied as “ransomware.bat.exe”.’
• [T1070] File Deletion – The payload deletes numerous services; the batch script uses commands like ‘sc delete’. ‘Deletes over 200 services using the sc delete command.’
• [T1486] Data Encrypted for Impact – Encrypted files are marked with the .malox extension, indicating data encryption. ‘The ransomware appends the encrypted files with the “.malox” extension.’
• [T1071] Application Layer Protocol – The activity is aligned with C2 over application-layer protocols in the network communications. ‘Application Layer Protocol’