Threat Research

Cyble – Mallox Ransomware Showing Signs Of Increased Activity

Securonix

Mallox ransomware activity has surged, driven by a .NET-based loader that downloads encrypted payloads and decrypts them in memory before encryption. The operation targets critical infrastructure, stops GPS-related services, and uses a private chat and leak site for ransom negotiations. #Mallox #MalloxLoader

Keypoints

  • Mallox activity has recently spiked, with observable samples and a leak site indicating ongoing campaigns.
  • An unknown .NET-based loader delivers Mallox by downloading encrypted payloads and decrypting them in memory, avoiding on-disk presence.
  • The encrypted payload is a 32‑bit .NET DLL (Wwxjdcapjnmuq.dll) decrypted in memory with a hardcoded AES key and then executed.
  • The loader uses IntelliLock obfuscation and dynamically loads the ransomware DLL as an assembly, creating a thread pool to run the code.
  • A batch file (Axfiysgodhtrlqmrgpchkiller.bat) is dropped to stop numerous services and programs (including GPS-related ones) before encryption.

    • <liVictims’ information is exfiltrated to a C2 via POST, and the ransom note includes a private chat for victims and a decryption-testing feature for the attackers.

  • Evidence suggests targeting of critical infrastructure or OT-related operations, inferred from GPS service disruption and related tooling.

MITRE Techniques

  • [T1204] User Execution – The loader usually arrives via spam email with different flavors to lure the users into downloading and executing the email attachment. – β€œThe loader usually arrives via spam email with different flavors to lure the users into downloading and executing the email attachment.”
  • [T1140] Deobfuscate/Decode Files or Information – The loader decrypts the payload to get the actual ransomware binary in the memory and further executes this binary to perform ransomware activities. – β€œThe loader now decrypts the payload to get the actual ransomware binary in the memory and further executes this binary to perform ransomware activities.”
  • [T1562] Impair Defenses – The loader executes the malicious content in the memory without saving the actual payload in the disk to evade anti-virus detection. – β€œThe loader executes the malicious content in the memory without saving the actual payload in the disk to evade anti-virus detection.”
  • [T1082] System Information Discovery – Before encrypting the files, the ransomware exfiltrates system information such as Operating system version, Desktop name, etc., and sends it to the Command & Control (C&C) server using a POST request as shown below. – β€œBefore encrypting the files, the ransomware exfiltrates system information such as Operating system version, Desktop name, etc., and sends it to the Command & Control (C&C) server using a POST request as shown below.”
  • [T1083] File and Directory Discovery – The loader enumerates methods from the DLL file and creates a list of method names and objects from the loaded assembly. – β€œThe loader enumerates methods from the DLL file and creates a list of method names and objects from the loaded assembly.”
  • [T1486] Data Encrypted for Impact – The ransomware then encrypts the files, appends β€œ.Mallox” as a file extension, and drops a ransom note in the folders. – β€œThe ransomware then encrypts the files, appends β€œ.Mallox” as a file extension, and drops a ransom note in the folders.”
  • [T1071] Application Layer Protocol – The ransom operation communicates with a C2 server via HTTP POST, indicating application-layer protocol usage. – β€œsends it to the Command & Control (C&C) server using a POST request.”

Indicators of Compromise

  • [URL] Malicious URL – hxxp://80[.]66[.]75[.]98/Chseiyk.jpeg. – Malicious loader delivery URL
  • [URL] Connected URL – hxxp://193[.]106[.]191[.]141/QWEwqdsvsf/ap.php. – C2-related connection URL
  • [File Name] Cqasdqtamip.exe – 32-bit .NET loader name used in the chain
  • [File Name] Wwxjdcapjnmuq.dll – Mallox ransomware payload DLL
  • [File Name] Axfiysgodhtrlqmrgpchkiller.bat – Batch file dropped to stop services
  • [MD5] 2456c01f5348e5c08f7e818d51862c1a, 688e0b37794395cfecaf9cc519e3c26a – Mallox Loader
  • [SHA1] 625be3e4dbfb0bd35c9cda216a9bca7232dbec07, 296e19773f6fb7190d914ac556abe0125e5d7aa5 – Mallox Loader
  • [SHA256] 34da973f1d154672b245f7a13e6268b4ffc88dea1ca608206b32759ec5be040c, b739be28cb9a30868112d4786bc11d37 – Mallox Loader
  • [SHA256] b64606198c158f79287b215343d286adf959e89acb054f8f3db706f3c06f48aa – Mallox Payload

Read more: https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint