Threat Research

“Unveiling the Mallox Ransomware Attack: Exposed Data and Encryption Tactics”

LevelBlue-spiderlabs

Trustwave investigated an unauthorized access incident in a client’s cloud-based environment that led to Mallox ransomware deployment due to a misconfiguration. Mallox has evolved into a Ransomware-as-a-Service (RaaS) operation employing double extortion and a dark web leak site to pressure victims into paying. #Mallox #FARGO #TargetCompany

Keypoints

  • Unauthorized access occurred in a cloud-based environment due to misconfiguration.
  • Mallox ransomware (also known as FARGO/TargetCompany) first emerged in June 2021 and has evolved beyond Windows to Linux and VMware ESXi.
  • Mallox operates under a Ransomware-as-a-Service (RaaS) model, expanding its reach through affiliates.
  • Double extortion is used: encrypting data and threatening to leak stolen information through a dedicated dark web leak site.
  • Initial access was gained via brute-forcing an exposed MS SQL server.
  • The operation employs downloaders/droppers, reflective loading, batch scripts, and registry/service manipulation to deploy and conceal the ransomware.

MITRE Techniques

  • [T1078] Initial Access – Brute-force attacks on exposed MS SQL servers. – “The threat actors gained initial access to the organization’s internal system by brute-forcing the exposed MS SQL server.”
  • [T1203] Execution – Batch scripts and command execution to deploy ransomware. – “Once inside, the threat actors executed a series of Invoke-WebRequest commands to download ransomware droppers, downloaders, and auxiliary batch scripts from a remote server to elevate control and further enhance the attack.”
  • [T1547] Persistence – Modification of registry keys to maintain persistence. – “Modification of registry keys to maintain persistence.”
  • [T1068] Privilege Escalation – Elevation of privileges to take ownership of files and processes. – “Elevation of privileges to take ownership of files and processes.”
  • [T1218] Defense Evasion – Reflective loading to evade antivirus detection. – “Reflective loading to evade antivirus detection.”
  • [T1486] Impact – Data encryption and threat of data leaks to pressure victims. – “Data encryption and threat of data leaks to pressure victims.”

Indicators of Compromise

  • [File Name] Downloaders – 6PYADPZW.exe, 8UDR7AZ1.exe
  • [MD5] Hashes for downloaders – ccf817dcd04c768f8d2def4e4e393375, c5d11d6d9036a7a500242fb080f5a1600cba4c4a639d516ee7b1a6b7e185e0db
  • [SHA256] Hash – e92f5d73a8cb1aa132602d3f35f2c2005deba64df99dcfff4e2219819ab3fffd
  • [IP Address] Public IPs involved – 80.66.76.30, 80.66.75.44
  • [C2 / URL] Command-and-control – 91.215.85.142, http://91.215.85.142/QWEwqdsvsf/ap.php
  • [Download URL] Sample payloads – http://80.66.76.30/Yvpvuzho.wav, http://80.66.76.30/Zibgsfhbkzt.dat

Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exposed-and-encrypted-inside-a-mallox-ransomware-attack/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint