Threat Research

Mallox Ransomware: Linux Variant Decryptor Found | Uptycs

Securonix

Mallox ransomware has expanded from Windows to Linux, introducing a Python-based delivery and management framework with a Flask web panel to create and distribute Linux encryptors. The malware uses AES-256-CBC to encrypt data, appends .lmallox or .locked extensions, and leaves ransom notes while making decryptors available on a remote server. #Mallox #Fargo #TargetCompany #Mawahelper #MalloxLinux #AES256

Keypoints

  • Mallox (also known as Fargo, TargetCompany, Mawahelper) has been active since mid-2021 and moved to Ransomware-as-a-Service distribution from mid-2022.
  • The group pursues multi-extortion, encrypting data and threatening to publish it on public TOR-based sites.
  • Early Mallox payloads were .NET/.EXE/.DLL delivered via exposed MS-SQL servers and phishing/spam emails on Windows systems; Linux variants now use a Python-based delivery framework.
  • A Python script named web_server.py creates a Flask-based web panel to generate and manage Mallox builds for Linux, including user authentication, build management, and admin functions.
  • Encryptor uses AES-256-CBC with a specific IV and key, appending .lmallox and dropping a ransom note; a corresponding decryptor is hosted at a remote server path.
  • I/O and configuration details (build IDs, ransom notes, BTC address, etc.) are exposed in the decrypted config and index directories, illustrating the actor’s tooling and workflow.
  • Uptycs highlights XDR/YARA coverage for Mallox and provides guidance on hunting Mallox infrastructure via FOFA and Censys; indicators of compromise include specific IPs, MD5 hashes, and file names.

MITRE Techniques

  • [T1059.006] Python – The attackers are using custom python scripts for the purpose of payload delivery and victim’s information exfiltration. Quote: “…using custom python scripts for the purpose of payload delivery and victim’s information exfiltration…”
  • [T1566.001] Phishing – The campaign leverages phishing or spam emails to target Windows systems. Quote: “…phishing or spam emails to target Windows systems.”
  • [T1133] External Remote Services – The malware spread includes exposed MS-SQL servers as an attack vector. Quote: “…including exposed MS-SQL servers and phishing or spam emails…”
  • [T1486] Data Encrypted for Impact – The malware encrypts user data and appends .locked extension to the encrypted files. Quote: “The malware encrypts user data and appends .locked extension to the encrypted files.”
  • [T1027] Obfuscated/Compressed Files and Information – The sample contains base64-encoded content that is not standard base64, later converted to hex and XORed before AES decryption. Quote: “Let’s discuss the Ransomware Encryptor. Upon examining the strings… a base64-encoded content that appears not to be standard base64.”

Indicators of Compromise

  • [IP] Mallox infrastructure – 185.73.125.6, 91.215.85.142, 91.215.85.135
  • [MD5] Webserver.py – 3dde1507996cf8c3dd53a726501be33b
  • [MD5] decryptor – b0770b7f24a436d256f2d58fc8581a18
  • [MD5] encryptor – 231478ff24055d5cdb5fbec36060c8ff
  • [MD5] decryptor – 51d51696c7f3a0e3fba4b8ceab210bac
  • [MD5] encryptor – 8d0fd41d35df82d3e7e2ff5c1747b87c
  • [MD5] decryptor – e9e087c52b97c7a3e343642379829e0a
  • [MD5] encryptor – 68785d476573955d50a3908dc18bf73b
  • [MD5] decryptor – cb60ad37c9a632c697fb2da7add7ccb5
  • [MD5] encryptor – 6bb2752ea73b4d6a5c33f543b5c29461
  • [MD5] decryptor – 1448ce8abc2f0184ec898d55f9c338b4
  • [MD5] encryptor – 5b0c1958a875c205951b88fd1c885900
  • [MD5] decryptor – 7f099845d8e6849d6ab4d64b546477d6
  • [MD5] encryptor – 4825f3a92780be4a285583b0f24fed99
  • [MD5] decryptor – be08c3e95df5992903a69e04cbab22e3
  • [MD5] encryptor – 779aa15cd6a8d416e7f722331d87f47b
  • [File name] Webserver.py, decryptor, encryptor, and READ_THIS_NOW.txt

Read more: https://www.uptycs.com/blog/mallox-ransomware-linux-variant-decryptor-discovered