A new variant of Mallox ransomware, also known as “Target company” ransomware, adopts a unique method of appending the name of the targeted company as a file extension to encrypt the files and launch the ransomware attack.
The Mallox threat actor distributes ransomware via a downloader attached to spam emails by targeting unsecured internet-facing Microsoft SQL servers.
Mallox ransomware encrypts files on compromised machines and typically adds a “. mallox” extension to the affected files.
Mallox targets industries such as Manufacturing, Energy & Utilities sectors, IT & ITES, and Professional Services.
Mallox ransomware initiates the attack via a malicious attachment that can either be an executable file that downloads Bat Loader from a remote server or may directly contain it.
The new variant doesn’t need a downloader to retrieve the ransomware payload from a remote server. The bat loader will be delivered directly through the attachment in a phishing email.
Instead, the ransomware payload is contained within a batch script, which is then injected into “MSBuild.exe”, without saving it on the disk
Once the user clicks on the attachment, the various variables defined in random sequences in the batch script file will be combined through concatenation to execute commands.
Secondly, Base64 encoded content provided as a parameter is executed for extracting the ransomware payload from the BatLoader.
The script achieves this extraction by scanning the initial BatLoader and identifying lines with the substring “ck”. When a line with “ck” is found, the script appends the substring following “ck” to an object using the Append method.
This PowerShell script also drops a batch script named “killerrr.bat” in the %TEMP% directory, which can perform the following operations:
Finally, The ransomware binary is injected into the MSBuild.exe through this PowerShell script. Here is the ransomware notes where attackers provided the details about the contact information and the ransom demand to decrypt the files.
Mallox ransomware has publicly disclosed details of over 20 victims from over 15 countries, with India being the most targeted nation, followed by the United States, Cyble Researchers said.
To prevent data breaches due to ransomware attacks, one must follow the below steps
Indicators | Indicator Type | Description |
dcf060e00547cfe641eff3f836ec08c8 8054569d8b449e4cd0211cb2499c19f42557fb21 2565158b0a023299c1922423a065b982g5fd1769f1a87ffd2031375a0e893d523318 | MD5 SHA1 SHA256 | BatLoader |
9a239885dc7044a9289610d58585167b 28b8b4c9fe29ba0e815e525d2529b92217877e85 0de0da8037176c3c9cb403e2865a7699e53ff5a013070132ba512b9dab7a0126 | MD5 SHA1 SHA256 | Killerrr.bat |
A stealthy Command-and-Control (C2) infrastructure Red Team tool named ConvoC2 showcases how cyber attackers can…
Cybersecurity researchers have uncovered a sophisticated exploitation campaign involving a zero-day (0-day) vulnerability in Cleo…
GitLab announced the release of critical security patches for its Community Edition (CE) and Enterprise…
Researchers have uncovered a vulnerability that allows attackers to compromise AMD's Secure Encrypted Virtualization (SEV)…
Splunk, the data analysis and monitoring platform, is grappling with a Remote Code Execution (RCE)…
In a major international operation codenamed “PowerOFF,” Europol, collaborating with law enforcement agencies across 15…