Mallox Expands Arsenal: Targets Linux with Modified Kryptina Ransomware

by do son · September 25, 2024

The Mallox Linux 1.0 ransom note Image: SentinelLabs

SentinelLabs has discovered that a group associated with the Mallox (TargetCompany) campaign is utilizing a newly modified version of the Kryptina ransomware to target Linux systems.

Previously focused solely on Windows, Mallox has recently shifted its attention to Linux and VMware ESXi, marking a significant evolution in its operations. The use of Kryptina, once offered as a low-cost RaaS service, represents a new phase in the threat’s development.

The Kryptina platform was launched in late 2023 for attacks on Linux, with prices ranging from $500 to $800. However, it failed to gain traction among cybercriminals. By February 2024, the platform’s presumed administrator, known by the alias “Corlys,” leaked Kryptina’s source code on hacker forums. This was promptly exploited by other cybercriminals, including Mallox’s affiliates.

After one of the groups associated with Mallox made an operational mistake, SentinelLabs experts uncovered that Kryptina’s source code had been used to create a new version of the ransomware, named “Mallox Linux 1.0.” Despite the rebranding and altered appearance, the ransomware’s functionality remained unchanged, employing the same AES-256-CBC encryption algorithm and similar decryption procedures. The source code, along with file names such as “kryptina.c” and “kryptina.h,” remained intact. Only cosmetic adjustments were made—removing references to Kryptina in ransom notes and scripts.

In addition to Mallox Linux 1.0, other tools were found on the attackers’ server, including:

A legitimate password-reset tool from Kaspersky (KLAPR.BAT);
An exploit for CVE-2024-21338, a privilege escalation vulnerability in Windows 10 and 11;
PowerShell scripts for privilege escalation;
Mallox loaders written in Java;
Disk images containing Mallox loaders;
Data on 14 potential victims.

At this time, it remains unclear whether Mallox Linux 1.0 is being used by a single group or multiple actors, and how it relates to other ransomware variants deployed in Mallox operations.

It was also revealed that the Lazarus group had exploited CVE-2024-21338 to create a read/write primitive in the kernel for an updated version of their FudModule rootkit, first documented by ESET in late 2022. Notably, FudModule employs the BYOVD (Bring Your Own Vulnerable Driver) technique, allowing hackers to exploit vulnerabilities in device drivers. This flaw grants cybercriminals full access to kernel memory.

Mallox ransomware activity surged by 174% in 2023 compared to the previous year, according to new data from Unit 42 at Palo Alto Networks.

Researchers have found close ties between Mallox ransomware and other threat actors, including TargetCompany, Tohnichi, Fargo, and the recently emerged Xollam. The Mallox group itself was first observed in June 2021, with its primary targets being manufacturing companies, professional services firms, and wholesale and retail enterprises.