Mallox is a sophisticated ransomware that is known for its destructive capabilities and multi-extortion tactics, which include encrypting victims’ data and threatening to publish it on public TOR-based websites.
In 2023, it demonstrated significant expansion with more than 700 distinct samples identified.
Mallox has been active since mid-2021, and the cybersecurity researchers at Kaspersky Lab recently discovered that it has evolved into a Ransomware-as-a-Service (RaaS) model by 2023.
The Mallox RaaS affiliate program is actively recruiting partners through dark web forums, expanding its global reach, and causing substantial damage to organizations worldwide.
This persistent threat leverages advanced encryption algorithms, employs evasion techniques to bypass security measures and uses a double extortion model, exfiltrating sensitive data before encryption to maximize ransom leverage.
Mallox employs sophisticated encryption methods, including:-
The malware targets companies globally, and for initial access often exploits vulnerabilities like CVE-2019-1068 and CVE-2020-0618 in MS SQL or PostgreSQL servers.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
Mallox’s development across 12 identified versions includes enhanced cryptographic techniques to prevent decryption without the attacker’s private key, such as using CTR_DRBG for random number generation and ISAAC PRNG for file key generation.
Besides this, it has expanded its functionality like terminating database processes (SQL Server, Oracle, MySQL), disabling services via Service Control Manager, and modifying registry keys to disable UAC.
The ransomware included a “technical buffer” to encrypted files, marked by 0x02010201 and 0x04030403, containing decryption data.
It operates a Tor-based portal for communication and a data leak site (DLS) for extortion. Not only that, even for ransom payments, it also supports both Bitcoin and Tether TRC-20.
Kaspersky said that to threaten its victims and promote its affiliate program, Mallox remains active on social media platforms like X (aka Twitter).
The ongoing efforts to evade detection mechanisms, increase encryption efficiency, and adapt to the competitive threat landscape scenario show that the operators of Mallox constantly evolve it by implementing sophisticated features like multi-threaded encryption (up to 64 threads) and selective file encryption based on size thresholds.
Here below we have mentioned all the recommendations:-
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…