Wednesday, December 6, 2023

Beware! Mallox Ransomware Attacks IT Industries With a New Attack Pattern

A new variant of Mallox ransomware, also known as “Target company” ransomware, adopts a unique method of appending the name of the targeted company as a file extension to encrypt the files and launch the ransomware attack.

The Mallox threat actor distributes ransomware via a downloader attached to spam emails by targeting unsecured internet-facing Microsoft SQL servers.  

Mallox ransomware encrypts files on compromised machines and typically adds a “. mallox” extension to the affected files. 

Mallox targets industries such as Manufacturing, Energy & Utilities sectors, IT & ITES, and Professional Services.

Mallox Ransomware Attack Vector

Mallox ransomware initiates the attack via a malicious attachment that can either be an executable file that downloads Bat Loader from a remote server or may directly contain it. 

The new variant doesn’t need a downloader to retrieve the ransomware payload from a remote server. The bat loader will be delivered directly through the attachment in a phishing email.  

Instead, the ransomware payload is contained within a batch script, which is then injected into “MSBuild.exe”, without saving it on the disk 

Infection Chain

Once the user clicks on the attachment, the various variables defined in random sequences in the batch script file will be combined through concatenation to execute commands. 

Secondly, Base64 encoded content provided as a parameter is executed for extracting the ransomware payload from the BatLoader.  

The script achieves this extraction by scanning the initial BatLoader and identifying lines with the substring “ck”. When a line with “ck” is found, the script appends the substring following “ck” to an object using the Append method. 

This PowerShell script also drops a batch script named “killerrr.bat” in the %TEMP% directory, which can perform the following operations: 

  • Kill over 600 processes using the taskkill /IM command. 
  • Stops over 200 services using the net stop command. 
  • Disables over 13 services using the sc config Service_Name start= disabled power. 
  • Deletes over 200 services using the sc delete command. 
  • Removes 2 directories “C:\Program Files (x86)\Kingdee\K3ERP\K3Express\KDHRAPP\client\log” and “C:\Program Files\Kingdee\K3ERP\K3Express\Logs” 

Finally, The ransomware binary is injected into the MSBuild.exe through this PowerShell script. Here is the ransomware notes where attackers provided the details about the contact information and the ransom demand to decrypt the files.

Mallox ransomware has publicly disclosed details of over 20 victims from over 15 countries, with India being the most targeted nation, followed by the United States, Cyble Researchers said.

To prevent data breaches due to ransomware attacks, one must follow the below steps 

  • Conduct regular backup practices and keep those backups offline or in a separate network.  
  • Keep updated on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.  

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Indicators of Compromise (IOCs) 

Indicators Indicator Type Description 

Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles