Threat Research

Mallox Ransomware Being Distributed in Korea – ASEC BLOG

Securonix

ASEC/ASEC Security Emergency Response Center (AhnLab) reports Mallox ransomware distribution in Korea, targeting vulnerable MS-SQL servers. The malware disguises as a DirectPlay-related program, downloads a Base64-encoded DLL, uses PowerShell and process injection, and encrypts files with a .mallox extension while removing traces of the infection.

Keypoints

  • Mallox ransomware distribution is observed in Korea and targets vulnerable MS-SQL servers.
  • The ransomware disguises as a DirectPlay-related program and downloads additional malware to run in memory.
  • The downloaded payload is a Base64-encoded DLL built with .NET that is decoded and executed, with delayed behavior using PowerShell and process injection.
  • The malware checks language settings (LangID) to exclude infection in certain locales (e.g., Russia, Kazakhstan, Belarus, Ukraine).
  • Post LangID, it deletes registry entries, disables recovery, terminates SQL services/processes, and proceeds to encrypt targeted files with a .mallox extension.
  • Observations include explicit IOCs (MD5 hashes and C2 URLs) and documented file/path exclusions used to avoid infection in certain environments.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – Malware connects to a remote address, downloads additional malware, and runs it in memory. ‘connects to a certain address, downloads additional malware, and runs it in the memory.’
  • [T1059.001] PowerShell – The loaded DLL performs a delayed behavior through PowerShell and runs recursion on the process before injection. ‘delayed behavior through PowerShell and runs recursion on the process before injection.’
  • [T1055] Process Injection – The malware runs recursion on the process before injection, indicating code injection into a process. ‘runs recursion on the process before injection.’
  • [T1112] Modify Registry – It performs registry changes, including registry deletion. ‘Registry deletion’
  • [T1490] Inhibit System Recovery – It disables recovery to hinder restoration. ‘disable recovery’
  • [T1041] Exfiltration Over C2 Channel – Exfiltration of infected PC information is performed. ‘exfiltration of infected PC information’
  • [T1486] Data Encrypted for Impact – Files are encrypted with the .mallox extension. ‘Files are encrypted with [Original File Name].mallox’
  • [T1027] Obfuscated/Compressed Files and Info – A data file encoded in Base64 is downloaded and later decoded to a DLL. ‘data file encoded in Base64’
  • [T1012] Query Registry – LangID scan is performed to determine language settings before infection. ‘Lang ID’ and ‘UserDefaultLangID’

Indicators of Compromise

  • [MD5] Initial loader – 0646ae6d3584f81c257485ade2624e71, efe4fffe822e92cf222c31178b95e112 and 2 more hashes
  • [URL] C2 – hxxp://80.66.75[.]36/a-Ubxdzddvl.png, hxxp://80.66.75[.]36/a-Vxnwcwh.dat
  • [IP] C2 host – 80.66.75.36
  • [File extension] Encrypted file extension – .mallox

Read more: https://asec.ahnlab.com/en/49366/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint