Mallox evolved from a private ransomware into a RaaS platform with a broad affiliate network, expanding globally since 2021 and showcasing advanced encryption and modular attack chains. It relies on affiliate-driven delivery, data exfiltration, and a Tor-based negotiation portal to monetize attacks.
#Mallox #MalloxRaaS #Tohnichi #Fargo #TargetCompany #SuspectFile
#Mallox #MalloxRaaS #Tohnichi #Fargo #TargetCompany #SuspectFile
Keypoints
- Mallox was first discovered in May 2021 and has since produced over 700 samples, with notable surges in 2023 and early 2024.
- It operates as a RaaS, actively recruiting affiliates and distributing profits (e.g., 80/20 or 70/30 splits) while seeking long‑term partners.
- Targets are typically wealthy companies (revenue ≥ $10M) while avoiding educational, governmental, and healthcare sectors.
- Infection vectors include exploiting public-facing MS SQL and PostgreSQL servers (via CVEs or brute‑force/dictionary attacks) and other access methods advertised by affiliates.
- Crypto is sophisticated: ECC/ECDH on Curve25519, AES-256-GCM with ChaCha20, and multiple key generation schemes (generated vs embedded keys) with CTR_DRBG starting March 2024.
- Infections often start with Remcos RAT or a .NET downloader after PowerShell or cmd-based stages, with flexible drive-targeting and text-file path options.
- Attackers maintain a negotiation portal and a data-leak site on the same domain, exposing victims, ransom details, and exfiltrated data to pressure payment.
MITRE Techniques
- [T1190] Exploitation of Public-Facing Application – The attackers penetrate internet-facing MS SQL or PostgreSQL servers by exploiting vulnerabilities or using brute-force attacks. “the threat actors typically either exploit RCE vulnerabilities, such as CVE-2019-1068 or CVE-2020-0618 in unpatched MS SQL server installations, or carry out brute-force or dictionary attacks.”
- [T1078] Valid Accounts – The group has discussed purchasing access credentials to victim networks for broader access. “‘The group was willing to purchase access credentials to victim networks.’”
- [T1059] Command and Scripting Interpreter – The first-stage process involves command-line actions to initialize scripts. “The compromised MS SQL server process executes a command that creates a PowerShell script…”
- [T1086] PowerShell – The operation uses a PowerShell script to fetch and launch the next stage. “‘PowerShell script’…and starts the first stage portable executable (PE) payload downloaded by the PowerShell script.”
- [T1060] Registry Run Keys / Startup Folder – The malware modifies registry keys to suppress defenses. “…modifies the registry keys of the HKEY_LOCAL_MACHINE hive to disable UAC and hide the Shut Down, Restart and Sign Out buttons.”
- [T1068] Exploitation for Privilege Escalation – Elevation attempts occur when needed, including privilege-related actions during execution. “If running without administrator permissions, it attempts to elevate its privileges by restarting using ShellExecuteW with the verb runas.”
- [T1027] Obfuscated Files or Information – The encryption components involve obfuscated/encrypted content and in-memory execution. “Obfuscated Files or Information (T1027)…”
- [T1070] Indicator Removal on Host – The malware removes traces and disrupts defenses. “…the encryption process, the executable file is deleted via the ‘del’ command.”
- [T1003] Credential Dumping – The campaign maps to credential access techniques where credentials could be used for deeper network access. “‘Credential Dumping (T1003)’”
- [T1046] Network Service Scanning – Affiliates identify exposed services as part of initial access. “[T1046] Network Service Scanning”
- [T1041] Exfiltration Over C2 Channel – Data exfiltration occurs over the C2 channel during or after encryption. “Exfiltration Over Command and Control Channel (T1041)”
- [T1486] Data Encrypted for Impact – The core action is encrypting files to deny access. “Data Encrypted for Impact (T1486)”
Indicators of Compromise
- [MD5] Mallox sample identifiers – 9b772efb921de8f172f21125dd0e0ff7, 79b60f8b5052a9d4cc0c92c2cdc47485, and other hashes (14 more hashes)
- [URLs] exfil/command endpoints – 91.215.85.142%2FQWEwqdsvsf%2Fap.php, whyers.io%2FQWEwqdsvsf%2Fap.php