Tuesday, April 29, 2025
HomeCyber AttackBeware! Mallox Ransomware Attacks IT Industries With a New Attack Pattern

Beware! Mallox Ransomware Attacks IT Industries With a New Attack Pattern

Published on

SIEM as a Service

Follow Us on Google News

A new variant of Mallox ransomware, also known as “Target company” ransomware, adopts a unique method of appending the name of the targeted company as a file extension to encrypt the files and launch the ransomware attack.

The Mallox threat actor distributes ransomware via a downloader attached to spam emails by targeting unsecured internet-facing Microsoft SQL servers.  

Mallox ransomware encrypts files on compromised machines and typically adds a “. mallox” extension to the affected files. 

- Advertisement - Google News

Mallox targets industries such as Manufacturing, Energy & Utilities sectors, IT & ITES, and Professional Services.

Mallox Ransomware Attack Vector

Mallox ransomware initiates the attack via a malicious attachment that can either be an executable file that downloads Bat Loader from a remote server or may directly contain it. 

The new variant doesn’t need a downloader to retrieve the ransomware payload from a remote server. The bat loader will be delivered directly through the attachment in a phishing email.  

Instead, the ransomware payload is contained within a batch script, which is then injected into “MSBuild.exe”, without saving it on the disk 

Infection Chain

 
Once the user clicks on the attachment, the various variables defined in random sequences in the batch script file will be combined through concatenation to execute commands. 

Secondly, Base64 encoded content provided as a parameter is executed for extracting the ransomware payload from the BatLoader.  

The script achieves this extraction by scanning the initial BatLoader and identifying lines with the substring “ck”. When a line with “ck” is found, the script appends the substring following “ck” to an object using the Append method. 

This PowerShell script also drops a batch script named “killerrr.bat” in the %TEMP% directory, which can perform the following operations: 

  • Kill over 600 processes using the taskkill /IM command. 
  • Stops over 200 services using the net stop command. 
  • Disables over 13 services using the sc config Service_Name start= disabled power. 
  • Deletes over 200 services using the sc delete command. 
  • Removes 2 directories “C:\Program Files (x86)\Kingdee\K3ERP\K3Express\KDHRAPP\client\log” and “C:\Program Files\Kingdee\K3ERP\K3Express\Logs” 

Finally, The ransomware binary is injected into the MSBuild.exe through this PowerShell script. Here is the ransomware notes where attackers provided the details about the contact information and the ransom demand to decrypt the files.

Mallox ransomware has publicly disclosed details of over 20 victims from over 15 countries, with India being the most targeted nation, followed by the United States, Cyble Researchers said.

To prevent data breaches due to ransomware attacks, one must follow the below steps 

  • Conduct regular backup practices and keep those backups offline or in a separate network.  
  • Keep updated on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.  

“AI-based email security measures Protect your business From Email Threats!” – .

Indicators of Compromise (IOCs) 

Indicators Indicator Type Description 
dcf060e00547cfe641eff3f836ec08c8 
8054569d8b449e4cd0211cb2499c19f42557fb21 
2565158b0a023299c1922423a065b982g5fd1769f1a87ffd2031375a0e893d523318 
MD5 
SHA1 
SHA256 
BatLoader 
9a239885dc7044a9289610d58585167b 
28b8b4c9fe29ba0e815e525d2529b92217877e85 
0de0da8037176c3c9cb403e2865a7699e53ff5a013070132ba512b9dab7a0126 
MD5 
SHA1 
SHA256 
Killerrr.bat 
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

JokerOTP Platform Linked to 28,000+ Phishing Attacks Dismantled

Law enforcement agencies from the UK and the Netherlands have dismantled the notorious JokerOTP...

Windows Server 2025 Gets Hotpatching Support Beginning July 1, 2025

Microsoft announced that hotpatching support for Windows Server 2025 will become generally available as...

Critical Linux Kernel Flaw (CVE-2025-21756) Allows Privilege Escalation

A newly disclosed vulnerability in the Linux kernel, tracked as CVE-2025-21756 and dubbed “Attack of the...

Massive Attack: 4,800+ IPs Used to Target Git Configuration Files

A recent surge in cyber reconnaissance has put thousands of organizations at risk after...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted...

Advanced Multi-Stage Carding Attack Hits Magento Site Using Fake GIFs and Reverse Proxy Malware

A multi-stage carding attack has been uncovered targeting a Magento eCommerce website running an...