Mallox Ransomware Group: Innovating Malware Variants and Evasion Tactics

The Mallox Ransomware Group: Stepping Up Attacks with Evasion Tactics

Introduction

The Mallox ransomware group, also known as TargetCompany, Fargo, and Tohnichi, has recently intensified its targeted attacks against organizations with vulnerable SQL servers. This group has gained momentum by combining its custom ransomware with the Remcos RAT and the BatCloak obfuscator. Researchers from TrendMicro have discovered that Mallox has infected hundreds of organizations worldwide across various sectors. While the group commonly exploits two remote code execution vulnerabilities in SQL servers, it has also started employing new tactics during later stages of the attack to maintain a stealthy presence and hide its malicious activities.

The Tactics Used by Mallox

Mallox initially gains entry into targeted organizations’ networks by exploiting vulnerable SQL servers, specifically exploiting the CVE-2020-0618 and CVE-2019-1068 vulnerabilities. Once in the network, Mallox uses various techniques to achieve persistence and evade detection. The group changes URLs and applicable paths to find an area to execute the Remcos RAT, ensuring its foothold in the system.

Researchers identified the campaign by investigating suspicious network connections related to PowerShell, which led to the discovery of a new variant of Mallox referred to as TargetCompany. The attackers attempted access using an undetectable payload, as the initial attempt was terminated and blocked by existing security solutions. The payload binary belonging to this variant of Mallox connects to a command-and-control server with a ‘/ap.php’ landing page.

Mallox employs an obfuscation technique known as FUD (Fully Undetectable). This technique scrambles the ransomware code to avoid signature-based detection technology. Mallox uses BatCloak’s FUD style, utilizing a batch file as an outer layer and subsequently decoding and loading the ransomware using PowerShell. The group also deploys Metasploit, a popular hacking tool, in a later stage of the attack to load the Mallox ransomware wrapped in the FUD packer.

Security Implications and Countermeasures

The evolving tactics employed by Mallox highlight the need for organizations to continuously enhance their cybersecurity measures. Detecting and preventing the undetectable malware used by this ransomware group demands a multi-layered approach to defense.

To defend against Mallox ransomware, organizations should prioritize patching vulnerable SQL servers and ensure visibility into their patching gaps. Additionally, security teams should check all possible attack surfaces and secure systems to prevent abuse and exploitation.

As the FUD packer used by Mallox surpasses many current security solutions, organizations should consider incorporating AI- and machine learning-based file checking and behavior monitoring solutions to enhance their cybersecurity posture. These advanced technologies can detect evasive tactics employed by attackers.

Multi-layered defense strategies, including network blocking, specific ransomware detection, and blocking measures, are crucial to mitigating the risks presented by threats like Mallox. Organizations should also prioritize user awareness campaigns and encourage the implementation of redundant exercises in order to prevent intrusion attempts and the execution of malicious activities.

Conclusion

The Mallox ransomware group poses a significant threat to organizations worldwide, particularly those with vulnerable SQL servers. The group’s ability to continuously innovate its evasion tactics and deploy undetectable malware emphasizes the need for organizations to enhance their cybersecurity measures. By adopting a multi-layered defense approach, organizations can minimize the risk of falling victim to ransomware attacks. Constant vigilance, patch management, and user awareness are critical in preventing intrusion attempts and safeguarding against malicious activities.