Researchers have discovered a modified version of Mallox ransomware that now appends the “.malox” file extension instead of the previous “.mallox” extension.
Unlike the previous method, this new variation does not require a downloader to fetch the ransomware payload from a remote server, found researchers at Cyble Research and Intelligence Labs (CRIL ).
Instead, the payload is embedded within a batch script and injected into “MSBuild.exe” without being saved on the disk.
This ransomware variant employs BatLoader, similar to the distribution of Remote Access Trojans (RATs) and stealers.
The Cyber Express has previously reported about the rise of Mallox ransomware and on its recent victims including the Indian trade body FICCI and AddWeb Solution.
Mallox Ransomware: New infection methodology
The initial infection occurs when users click on an attachment in a spam email. The attachment can either be an executable file that downloads BatLoader from a remote server or contain BatLoader directly.
The batch script used in this case is obfuscated, employing various variables defined in random sequences. These variables are combined through concatenation to execute commands.
“In contrast to the previous infection method, this one eliminates the need for a downloader to retrieve the ransomware payload from a remote server,” said the CRIL report.
“Instead, the ransomware payload is contained within a batch script, which is then injected into “MSBuild.exe”, without saving it on the disk.”
One part of the batch script checks if a certain variable is defined. If it’s not defined, it sets the variable, starts the same batch script in a minimized window, and then exits the previous instance of the script.
Another command in the script copies a program called PowerShell to a new file with a different name. It also sets certain attributes for this file.
The batch script also executes a command that runs the copied PowerShell program and provides it with some encoded content as a parameter.
This encoded content is a script written in the PowerShell language, which is responsible for extracting the ransomware payload from the BatLoader. The PowerShell script scans the BatLoader for specific lines of code and extracts certain information from them.
The PowerShell script also drops another batch script called “killerrr.bat” in a temporary directory. This “killerrr.bat” script is designed to perform various operations such as stopping processes, services, disabling services, and deleting services on the infected computer. It also deletes specific directories.
The PowerShell script dynamically loads the Mallox ransomware program and injects it into another program called MSBuild.exe. This injection allows the ransomware to run within the MSBuild.exe program, making it more difficult to detect and remove.
Mallox ransomware: Impact and Recommendations
“To date, Mallox ransomware has publicly disclosed details of over 20 victims from over 15 countries, with India being the most targeted nation, followed by the United States,” said the CRIL report.
:The majority of victims affected by Mallox ransomware belong to the Manufacturing, Energy & Utilities sectors, IT & ITES, and Professional Services Industries.”
The CRIL report made the following recommendations to bolster defenses against ransomware attacks:
Regularly back up data and keep offline or separate network backups.
Enable automatic software updates on computers, mobile devices, and connected devices.
Utilize reputable antivirus and internet security software on all connected devices.
Exercise caution when opening untrusted links and email attachments, verifying their authenticity before proceeding.
If the systems are infected with ransomware already, the security team should:
Disconnect infected devices from the network.
Disconnect any external storage devices that may be connected.
Review system logs for any suspicious events.
