Mallox Ransomware Expands Targeting to Linux Systems

Mallox Ransomware Expands Targeting to Linux Systems

Threat Group: Mallox
Threat Type: Ransomware (Linux and Windows)
Exploited Vulnerabilities: Unsecured MS-SQL servers, weak SSH configurations, exposed ports
Malware Used: Mallox, Kryptina (Linux variant)
Threat Score: High (8.5/10) — The group has expanded operations to Linux systems and continues to evolve by targeting cloud and critical infrastructure, leveraging both Windows and Linux environments.
Last Threat Observation: September 2024.


Overview

Mallox ransomware, also known as TargetCompany or FARGO, has been active since 2021, originally targeting unsecured Microsoft SQL (MS-SQL) servers in Windows environments. The group recently expanded its operations by adopting the source code of Kryptina, a Linux-targeted ransomware, marking a shift towards multi-platform attacks. The new variant, dubbed "Mallox Linux 1.0," is especially concerning as it exploits vulnerabilities in Linux and VMware ESXi systems, aiming for persistence and lateral movement in enterprise networks.

Key Details

  • Delivery Method: Unsecured MS-SQL servers (Windows) and weak SSH configurations (Linux).
  • Target: Windows and Linux environments, particularly MS-SQL servers and virtualized/cloud infrastructures.
  • Functions:
    1. Encrypts files using ChaCha20 and AES-256-CBC encryption algorithms.
    2. Appends different file extensions (.malox, .FARGO3, .bitenc).
    3. Utilizes privilege escalation tools and exploits for lateral movement within networks.
    4. Deletes volume shadow copies and security logs to thwart recovery.
    5. Leaves ransom notes with links to Tor sites for payment.

Attack Vectors

  • Windows: Mallox enters via unsecured MS-SQL servers through brute-force attacks, downloading the payload via PowerShell commands. It disables SQL services to facilitate encryption.
  • Linux: The newer variant of Mallox, built on Kryptina’s leaked code, exploits weak SSH configurations and exposed ports, especially in cloud-based Linux environments. The ransomware establishes persistence and facilitates data exfiltration by blending its activities with normal traffic.

Known Indicators of Compromise (IoCs)

  • Domains:
    hxxp://grovik71[.]theweb[.]place
  • IP Addresses:
    185[.]73[.]125[.]6
  • MD5 Hashes:
    71efe7a21da183c407682261612afc0f
    120c6ddfc24274b6e2e3a1ba7dc519ab
    d201bd19e60d500963aff0c235b07727
    4532803225b8b1a8a7811a44f3f2e2e6
    779aa15cd6a8d416e7f722331d87f47b
    231478ff24055d5cdb5fbec36060c8ff
    b5b20e03ae941e9f21c444bd50225c41
    66bb9363e23c7ef2d16c89cd654b491e
    fabcc64299ec88bcf2815b6c328bdf5e
    1b4bbc6a2cfe628395c5d670d5ef470d
    846bb4f2cdbf9ed624ba2647c6b04101
  • SHA-256 Hashes:
    45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
    2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8
    d6629a9b618ede05e9e75a2cebfb69bc7b1a34fe00a42ff60d88828a307c0d08
    e0b6c83aa3aeff6d7d5fb4b5863cc94ca6158e12fd049d6863322bafb244a41d
    23ba8078df63ebb313f2f2a2f24dab840e068ddd5cc54bb661db7d010954d2fc
    9f4c40c0d52291334d90455a64106f920ede3bda5c3f7d00b0933032b0f208d8
    c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6
    61f36c5ae038faa2b58a9a17b464d01414b4265e46634f353319c471d0a35789
    f67f3acfbf23d37c7c81d890a2b56d38d468d3fde37b3934d77a1cb3f5ac342b
    0f8de2a116f590ace3a818302d2531af9f3c972816638c92773048c640807acc
    e9b9f425fa818899070f69d09d3a35d7ccc88de6ac98b2c8b02116f1b314bc78
  • SHA-1 Hashes:
    0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
    29936b1aa952a89905bf0f7b7053515fd72d8c5c
    341552a8650d2bdad5f3ec12e333e3153172ee66
    5cf67c0a1fa06101232437bee5111fefcd8e2df4
    9050419cbecc88be7a06ea823e270db16f47c1ea
    a1a8922702ffa8c74aba9782cca90c939dfb15bf
    b27d291596cc890d283e0d3a3e08907c47e3d1cc
    c20e8d536804cf97584eec93d9a89c09541155bc
    ee3cd3a749f5146cf6d4b36ee87913c51b9bfe93
    ef2565c789316612d8103056cec25f77674d78d1
    f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc

Mitigation and Prevention

  • User Awareness: Educate employees about phishing emails and ensure secure passwords for MS-SQL servers and SSH access.
  • Email Filtering: Implement strong email security solutions to block malicious attachments and links.
  • Antivirus Protection: Ensure EDR/XDR solutions are in place to detect and stop in-memory ransomware executions.
  • Two-Factor Authentication (2FA): Enforce 2FA, especially for critical systems like MS-SQL and SSH access.
  • Monitor Logs: Regularly review security logs for signs of brute-force attempts and lateral movement.
  • Regular Updates: Keep systems, especially MS-SQL and Linux servers, updated with the latest security patches.

Podcast Discussion

audio-thumbnail
Mallox Ransomware Expands Targeting to Linux Systems
0:00
/353.08

Conclusion

Mallox ransomware continues to evolve, now presenting a significant risk to both Windows and Linux systems. With its ability to exploit weaknesses in cloud and virtual infrastructures, it poses a considerable threat to organizations relying on backend services. Strengthening both Linux and Windows defenses, particularly around database and SSH configurations, is critical to mitigating the risk.

Sources:

  1. Palo Alto Networks Unit 42, "Threat Group Assessment: Mallox Ransomware"
  2. Bleeping Computer "New Mallox ransomware Linux variant based on leaked Kryptina code"
  3. Rewterz, "New Linux Version of Mallox Ransomware Based on Leaked Kryptina Code: Active IoCs"