Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics

The group continues to target SQL servers, adding the Remcos RAT, BatCloak, and Metasploit in an attack that shows advance obfuscation methods.

Image shows a keyboard with hands typing at it and the keys spelling out "ransomware" in red and white highlighted letters
Source: Wsf-S via Shutterstock

The Mallox ransomware group is stepping up its game in targeted attacks against organizations with vulnerable SQL servers. It surfaced recently with a new variant and various additional malware tools to achieve persistence and evade detection as it continues to gather momentum.

Malloz (aka TargetCompany, Fargo, and Tohnichi) emerged in June 2021. In its latest attacks, it combined its custom ransomware with two proven malware products — the Remcos RAT and the BatCloak obfuscator, researchers from TrendMicro revealed in a blog post today.

That said, the tactic that the group used to gain entry to targeted organizations' networks remains consistent in the latest campaign — "the exploitation of vulnerable SQL servers to persistently deploy its first stage," TrendMicro's Don Ovid Ladores and Nathaniel Morales revealed in the post.

Indeed, Mallox — which already claims to have infected hundreds of organizations worldwide in sectors such as manufacturing, retail, wholesale, legal, and professional services — commonly exploits two remote code execution (RCE) vulnerabilities in SQL, CVE-2020-0618 and CVE-2019-1068, in its attacks.

However, the group has also started switching things up in later stages of the attack to maintain a stealthy presence on targeted networks and hide its malicious activity, the researchers found.

"The routine tries various directions to attempt persistence, such as changing up the URLs or applicable paths until it successfully finds an area to execute the Remcos RAT," they wrote.

Detecting Undetectable Malware

The team identified the campaign upon investigation of suspicious network connections related to PowerShell, which led it to the discovery of a new variant of Mallox, which TrendMicro refers to as TargetCompany.

"When we checked the payload binary, we saw that the variant belongs to the second version of the said ransomware family, commonly characterized by a connection to a command-and-control (C2) server with a '/ap.php' landing page," the researchers revealed in the post.

However, since the initial attempt at access was terminated and blocked by existing security solutions, "the attackers opted to use the [fully undetectable] FUD-wrapped version of their binaries" to continue its attack," the researchers wrote.

FUD is an obfuscation technique attackers use that automatically scrambles ransomware to dodge signature-based detection technology, thus improving its chances of success. Mallox appears to be using a FUD style employed by BatCloak — using a batch file as an outer layer and then decoding and loading using PowerShell to make a LOLBins execution, according to TrendMicro.

The group also used the hacking tool Metasploit, which was deployed in a later stage of the attack before the Remcos RAT concludes its final routine, to load Mallox ransomware wrapped in the FUD packer, the researchers said.

While using FUD packers and Metasploit are not new tactics, it does show how Mallox, like other attackers, "will keep innovating even the simplest means of abuse" to evade defenses put up by organizations to avoid compromise, the researchers noted.

"Security teams and organizations should not underestimate its effectivity in circumventing current and established security solutions, especially in key features that leave technologies almost blind until a victim is documented," they wrote in the post.

How to Defend Against Mallox Ransomware

TrendMicro expects that the majority of Mallox' victims still have vulnerable SQL Servers that are being exploited to gain entry. To combat this, security teams should have visibility into their patching gaps, and check all possible attack surfaces to ensure their respective systems are not susceptible to abuse and exploitation.

Meanwhile, as the FUD packer that Mallox is using appears to be a step ahead of the current security solutions that most organizations use, it might be time to step up the game and add AI- and machine learning-based file checking and behavior monitoring solutions to the mix, the researchers noted.

Moreover, best practices for network blocking as well as specific ransomware detection and blocking measures also can provide a multi-layered approach to mitigate the impact of the risks that these threats present.

"Organizations should encourage and implement redundant exercises ensuring users' awareness of their own systems and networks to prevent intrusion attempts and execution of malicious activities," the researchers wrote.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights