Mallox Stealer Malware Analysis, Overview by ANY.RUN

What is Mallox ransomware?

Mallox is a ransomware strain that emerged in 2021 and has since become a known threat, particularly targeting organizations with vulnerable SQL servers and RDP configurations.

Its method of operation involves encrypting victims' files and appending unique extensions like ".mallox" to the encrypted data, effectively making the files inaccessible. Victims are then presented with a ransom note demanding payment, usually in cryptocurrency, in exchange for the decryption key.

When analyzing the Mallox ransomware inside the ANY.RUN’s sandbox, we can see the whole process of its attack chain, including the displayed ransom note:

Ransom note of Mallox in ANY.RUN sandbox Analysis of Mallox inside ANY.RUN’s Interactive Sandbox showing a ransom note

Mallox operates through a Ransomware-as-a-Service (RaaS) model, making it accessible to various threat actors who can customize and distribute the ransomware. It employs advanced techniques like modifying boot configurations, disabling Windows recovery options, and using PowerShell scripts for downloading and executing payloads.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Mallox ransomware technical details

The primary functionalities of Mallox ransomware include:

Encrypts files using strong encryption algorithms, making them inaccessible.
Steals sensitive data before encryption to increase pressure for ransom payment.
Targets unsecured MS-SQL servers using brute-force dictionary attacks
Downloads ransomware using command-line tools and PowerShell. It injects into processes like Aspnet_Compiler.exe to avoid detection
Modifies BCD settings with bcdedit commands to disable system recovery
Steals data before encryption to pressure victims during negotiations
Encrypts files, adding a “.mallox” extension
Drops a ransom note in affected directories, demanding payment.
Changes registry settings to prevent shutdown and restarts, ensuring uninterrupted encryption
Guides victims to reach out through TOR or email using a unique ID

This ransomware collects detailed system data, such as total disk space, operating system version, computer name, locale settings, and the architecture of the processor. It then sends this information to its command-and-control (C2) server to aid in managing the infection.

Additionally, it uses an external API, like api.ipify.org, to determine and retrieve the device's public IP address, allowing the attackers to gain further insight into the network environment.

This action can be observed in ANY.RUN’s sandbox when detected by Suricata rules.

Suricata rule for Mallox in ANY.RUN sandbox External IP address retrieval detected inside ANY.RUN’s sandbox

Mallox ransomware execution process

To see how Mallox ransomware operates, let’s upload its sample to the ANY.RUN sandbox.

Mallox ransomware employs a sophisticated attack chain, sometimes beginning with initial access through brute-force attacks on unsecured Microsoft SQL servers.

Once inside, the ransomware executes various commands and scripts to facilitate its malicious activities, culminating in file encryption and ransom demands.

Process graph of Mallox ransomware displayed inside ANY.RUN’s sandbox

Mallox primarily targets unsecured Microsoft SQL servers by using dictionary brute-force attacks to gain access to the victim's network. After compromising the SQL server, the attackers utilize command-line tools and PowerShell scripts to download the ransomware payload from a remote server.

The downloaded payload may inject itself into legitimate processes (e.g., Aspnet_Compiler.exe) using techniques like process hollowing, allowing it to evade detection by traditional antivirus software.

Upon execution, Mallox modifies Boot Configuration Data (BCD) settings to disable recovery options, making it harder for users to restore their systems post-infection.

The ransomware encrypts files on the infected system, appending a ".mallox" extension to the encrypted files. It also generates ransom notes named “HOW TO BACK FILES.TXT” in each folder containing encrypted files.

Before encryption, Mallox may exfiltrate sensitive data from the system, which is later used against victims who refuse to pay the ransom.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Victims are instructed to contact the attackers via TOR or email, with unique identifiers (private ID in our sample) provided for negotiation purposes. The ransom notes often threaten to expose the stolen data if demands are not met.

Besides this, the ransomware modifies Windows registry settings to disable shutdown, restart, and sign-out options, effectively locking users out of their systems to prevent interruption of the encryption process.

If users attempt to shut down or reboot their systems, Mallox displays warnings about potential data loss, further pressuring victims to comply with ransom demands.

Mallox ransomware distribution methods

Mallox ransomware is typically distributed through a few primary methods, making it a significant threat to targeted systems:

Brute-force attacks on Microsoft SQL servers: One of the most common methods is targeting exposed MS-SQL servers using brute-force attacks. Attackers exploit weak credentials to gain access to these servers, often through dictionary-based password cracking methods
PowerShell scripts and Command-Line tools: Once access is established, attackers use PowerShell scripts to download and execute the ransomware payload. This often involves using a remote server to deliver the malicious code directly onto the compromised system
Malicious email campaigns: Phishing emails are another avenue for distribution. These emails may contain infected attachments or links that, when opened, initiate the download of the ransomware onto the victim's computer
Exploiting vulnerabilities: Mallox has also been observed leveraging known vulnerabilities in SQL servers, such as remote code execution (RCE) flaws, to gain unauthorized access and deploy its payload

Gathering Threat Intelligence on Mallox Ransomware

To collect the latest intelligence on Mallox ransomware, you can utilize Threat Intelligence Lookup.

This service offers access to an extensive database with insights from numerous malware analysis sessions conducted within the ANY.RUN sandbox. It includes over 40 search parameters, enabling you to explore specific details like IP addresses, domains, file names, and various process artifacts.

Search results for Mallox in Threat Intelligence Lookup

Using Threat Intelligence Lookup, you can search directly for a threat name or use a related artifact. For instance, by entering a query like threatName:"mallox" AND domainName:"", you can quickly access Mallox threat data along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Get a 14-day free trial of Threat Intelligence Lookup along with the ANY.RUN sandbox.

Integrate ANY.RUN’s threat intelligence solutions in your company

Conclusion

Mallox ransomware poses a significant threat due to its ability to encrypt critical files, exfiltrate sensitive data, and disable recovery mechanisms. To mitigate such threats, integrating tools like ANY.RUN is crucial for proactively analyzing suspicious files and URLs before they cause harm.

ANY.RUN offers a real-time threat analysis with detailed process graphs, in-depth network traffic analysis, and a user-friendly interface that allows analysts to simulate real-world threat scenarios effectively.