Mallox ransomware Exploits Old Flaws in MS-SQL & ODBC

In an ever-evolving cyber landscape, where the churn of malware families and actor groups is relentless, Mallox ransomware emerges as a formidable adversary. SentinelOne‘s security experts shed light on the latest Mallox activities, elucidate the group’s primary methods of gaining access, and offer a comprehensive analysis of the recent Mallox payloads. First identified in 2021, Mallox, also known as TargetCompany, has consistently been a dark horse in the ransomware realm, orchestrating a steady leakage of enterprise data.

Mallox operates under the Ransomware-as-a-Service (RaaS) model, skillfully leveraging underground forums like Nulled and RAMP to advertise and expand its nefarious services. The group’s operation is sophisticated, with a dedicated TOR-based leak site and a robust presence on social media platforms, including Twitter/X, to publicize their conquests and expose stolen data.

Mallox Data Leak Site | Image: SentinelOne

The group’s modus operandi primarily revolves around exploiting vulnerable and publicly exposed services, focusing intensively on MS-SQL (Microsoft SQL Server) and ODBC interfaces. By targeting specific, unpatched remote code execution vulnerabilities, such as CVE-2019-1068 and CVE-2020-0618 in Microsoft SQL Server, Mallox has orchestrated successful breaches. Furthermore, the group has been known to employ brute-force attacks against weakly configured services, gaining initial access through dictionary-based attacks on MS-SQL interfaces.

Once inside a system, Mallox actors waste no time. They execute PowerShell commands to run various batch scripts and download the ransomware payload. Tools like Kill-Delete.bat and Bwmeldokiller.bat are used strategically to terminate or remove processes that might hinder the encryption routine. The ransomware payload is then executed using a combination of crafty PowerShell scripts and Windows Management Instrumentation (WMIC) commands.

Recent Mallox payloads, dubbed “Mallox.Resurrection,” highlight the group’s adaptability and persistence. These variants exhibit hard-coded exclusions, sparing certain file types and processes from encryption. This selective approach indicates a refined and strategic operation, ensuring maximum impact with minimal collateral damage.

For those unfortunate enough to fall victim to Mallox, non-compliance with ransom demands carries a grave threat – the exposure of their data on the group’s data leak site. This added pressure tactic underscores the need for urgent and effective cybersecurity measures.

Despite setbacks, such as the release of a public decryptor for earlier versions of its payloads, Mallox has maintained a steady stream of compromises. The continued exploitation of unpatched MS-SQL interfaces and weak passwords is a stark reminder of the group’s adaptability and the need for robust cybersecurity measures. Organizations are urged to review and harden applications and services exposed to the public internet, alongside deploying appropriate endpoint and cloud security solutions.

In conclusion, the persistence and evolution of Mallox ransomware stand as a testament to the ever-present danger lurking in the cyber world. It serves as a clarion call to organizations and individuals alike to remain vigilant, update regularly, and invest in advanced cybersecurity defenses to ward off such insidious threats.