New Mallox Ransomware Linux Variant Attacking Enterprise Linux Servers

Kryptina RaaS, a free and open-source RaaS platform for Linux, initially struggled to attract attention.

Still, after a Mallox affiliate’s staging server was leaked in May 2024, Kryptina’s modified version, branded Mallox v1.0, gained prominence. 

The research examines the data exposed in the leak, highlighting differences between the original Kryptina RaaS (v2.2) and Mallox v1.0 by revealing that the Mallox variant incorporates enhancements to the platform’s functionality, making it a more attractive option for threat actors seeking to launch ransomware campaigns.

Mallox, a mature ransomware-as-a-service platform, has been active since 2021, targeting enterprises through vulnerabilities and brute force attacks. Kryptina, initially sold by “Corlys,” was later leaked online, revealing its source code and connection to Mallox. 

This leak exposed a Mallox affiliate’s use of Kryptina for Linux payloads, suggesting a potential collaboration or customization.

However, Kryptina’s uniqueness within the Mallox ecosystem indicates a complex relationship between the two, possibly involving independent development or acquisition.

Threat actors repurposed leaked Kryptina ransomware source code to create Mallox Linux 1.0. The core functionality, including AES-256 CBC encryption and OpenSSL decryption, remains unchanged. 

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

While Kryptina branding is removed from most files, references persist in function names (e.g., krptna_process_file) within the /src folder. Mallox includes a stripped-down version of the original Kryptina documentation translated into Russian. 

Ransomware note templates were modified to reflect Mallox branding. The core encryptor source file (kryptina. c) retains the original Kryptina name but has comments and debug messages updated for Mallox. 

Similarly, the scripting_demo.py script used for automated payload builds was minimally modified to remove Kryptina references.  

The Kryptina and Mallox makefiles are used to build encryptor and decryptor payloads. Both makefiles offer various build modes, including demo, debug, symbols, and arch32. Additional parameters can also be customized for XOR key, thread count, self-deletion, filesize constraints, and secure deletion. 

The Mallox makefile introduces new parameters for payload type (crypto or decryptor), compression level, and the ability to include a custom payload header. Both makefiles allow for flexible payload configuration based on specific requirements.

The May 2024 affiliate leak exposed a trove of target-specific data, including 14 potential victim subfolders containing config.json files and compiled encryptor/decryptor tools with identical payment addresses and ransom note templates. 

According to Sentinel Labs, the config files contained specific details such as payment type, addresses, and ransom note content, indicating a coordinated and targeted attack campaign.

Mallox malware uses leaked affiliate servers to target Windows systems. The server contains various tools for initial compromise, including an exploit for CVE-2024-21338 (Windows privilege escalation) and a tool to disable Kaspersky endpoint products. 

They are also found on the server, including PowerShell scripts and a JAR file that launches a PowerShell script to download Mallox.

The server also contains a full offline installer of Java JRE and additional dropper/payload sets for 32-bit and 64-bit systems.  

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free