Mallox Ransomware Variant Targets Privileged VMWare ESXi Environments

The Mallox ransomware group is targeting VMWare ESXi environments with a fresh Linux variant that employs a new technique, to deliver and execute its payload only in machines with high-level user privileges.

The variant — discovered by researchers at Trend Micro who track Mallox as TargetCompany — specifically determines if a targeted system is running in a VMWare ESXi environment and has administrative rights, and won't proceed with an attack if these requirements are not met, according to a blog post published June 5.

Mallox, which is also known by the monikers Fargo and Tohnichi, first surfaced in June 2021 and claims to have infected hundreds of organizations worldwide. Specific sectors targeted by the group include manufacturing, retail, wholesale, legal, and professional services. This year Mallox has been most active in Taiwan, India, Thailand, and South Korea, according to Trend Micro.

Custom Shell Shows Sophistication

The Linux variant is the first time Mallox has been seen using a custom shell script to deliver and execute ransomware on virtualized environments — activity likely aimed at creating more disruption and, thus, increasing chances of a ransom payout.

Moreover, the adversary responsible for wielding the variant is a Mallox affiliate called “vampire,” which indicates the group's involvement in "broader campaigns involving high ransom demands and expansive IT system targeting," Trend Micro's Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo wrote in the post.

The use of a custom shell also demonstrates that Mallox "has been continuously evolving to employ more sophisticated methods in its future attacks," the researchers noted.

"This recently found Linux variant aligns with the recent trend of ransomware groups extending their attacks to critical Linux environments, thereby potentially increasing the range of target victims," they observed.

In addition to delivery and execution, the custom shell also exfiltrates the victim's information to two different servers so the ransomware actors have a backup of the information. Mallox is known to use a leak site by the same name to expose data stolen from its ransomware attacks.

How the Mallox Variant Works

This latest variant first checks a system to see whether the executable is running with administrative rights and, if this is not the case, it won't continue its activity.

After execution, the variant drops a text file named TargetInfo.txt that contains victim information that is sent to a command-and-control (C2) server, behavior that is similar to the Windows version of Mallox ransomware.

The IP address used to exfiltrate this info as well as later execute the payload is one not seen used by Mallox before, the researchers noted. It's hosted by China Mobile Communications, a Chinese ISP, and was likely rented for short-term use by the threat actor to host its malicious payload, they said.

The binary also performs a check to determine whether the machine is running in a VMWare ESXi environment by seeing if the system name matches “vmkernel," which indicates that the machine is running in VMware’s ESXi hypervisor. If so, it deploys its encryption routine, appending the extension ".locked" on encrypted files and dropping a ransom note named HOW TO DECRYPT.txt. Both the extension and note deviate from the Windows variant, the researchers noted.

The custom shell script used to download and execute the payload also can exfiltrate data to a different server. It does this by reading the contents of the dropped text file and uploading it to another URL once the ransomware performs its routine. The variant also notably exfiltrates victim information to two different servers, possibly "to  improve redundancy and have a backup in case a server goes offline or is compromised," the researchers wrote.

After the ransomware performs its routine, the script deletes the TargetCompany payload, creating an added challenge for defenders to understand the overall impact of the attack, thus making investigation and incident response difficult.

Linux ESXi Environments Beware of Cyberattacks

Mallox's sophisticated expansion of its attack activity into Linux environments running VMware ESXi requires renewed vigilance on the part of organizations that fit this description, the researchers noted.

"Implementing tried-and-tested cybersecurity measures can mitigate the risk of falling victim to ransomware attempts and protect the data integrity of an organization's assets," they wrote.

Best practices that the researchers suggested organizations should take include enabling multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.

They also should adhere to what's called the "3-2-1 rule" for backing up important files; that is, "creating three backup copies on two different file formats, with one of the copies stored in a separate location," the researchers noted. Finally, the researchers said, patching and updating systems regularly can deter malicious actors from exploiting software vulnerabilities.