Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics

  /     /     /  
Publicated : 23/11/2024   Category : security


Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics


The group continues to target SQL servers, adding the Remcos RAT, BatCloak, and Metasploit in an attack that shows advance obfuscation methods.



The Mallox ransomware group is stepping up its game in targeted attacks against organizations with vulnerable SQL servers. It surfaced recently with a new variant and various additional malware tools to achieve persistence and evade detection as it continues to gather momentum.
Malloz (aka TargetCompany, Fargo, and Tohnichi) emerged in June 2021. In its latest attacks, it combined its custom ransomware with two proven malware products — the
Remcos RAT
and the BatCloak obfuscator, researchers from TrendMicro
revealed in a blog post
today.
That said, the tactic that the group used to gain entry to targeted organizations networks remains consistent in the latest campaign — the exploitation of vulnerable SQL servers to persistently deploy its first stage, TrendMicros Don Ovid Ladores and Nathaniel Morales revealed
in the post.
Indeed, Mallox — which
already claims
to have infected hundreds of organizations worldwide in sectors such as manufacturing, retail, wholesale, legal, and professional services — commonly exploits two remote code execution (RCE) vulnerabilities in SQL,
CVE-2020-0618
and
CVE-2019-1068
, in its attacks.
However, the group has also started switching things up in later stages of the attack to maintain a stealthy presence on targeted networks and hide its malicious activity, the researchers found.
The routine tries various directions to attempt persistence, such as changing up the URLs or applicable paths until it successfully finds an area to execute the
Remcos RAT
, they wrote.
The team identified the campaign upon investigation of suspicious network connections related to PowerShell, which led it to the discovery of a new variant of Mallox, which TrendMicro refers to as TargetCompany.
When we checked the payload binary, we saw that the variant belongs to the second version of the said ransomware family, commonly characterized by a connection to a command-and-control (C2) server with a /ap.php landing page, the researchers revealed in the post.
However, since the initial attempt at access was terminated and blocked by existing security solutions, the attackers opted to use the [fully undetectable] FUD-wrapped version of their binaries to continue its attack, the researchers wrote.
FUD is an obfuscation technique attackers use that automatically scrambles ransomware to dodge signature-based detection technology, thus improving its chances of success. Mallox appears to be using a FUD style employed by BatCloak — using a batch file as an outer layer and then decoding and loading using PowerShell to make a
LOLBins
execution, according to TrendMicro.
The group also used the hacking tool
Metasploit
, which was deployed in a later stage of the attack before the Remcos RAT concludes its final routine, to load Mallox ransomware wrapped in the FUD packer, the researchers said.
While using FUD packers and Metasploit are not new tactics, it does show how Mallox, like other attackers, will keep innovating even the simplest means of abuse to evade defenses put up by organizations to avoid compromise, the researchers noted.
Security teams and organizations should not underestimate its effectivity in circumventing current and established security solutions, especially in key features that leave technologies almost blind until a victim is documented, they wrote in the post.
TrendMicro expects that the majority of Mallox victims still have vulnerable SQL Servers that are being exploited to gain entry. To combat this, security teams should have visibility into their patching gaps, and check all possible attack surfaces to ensure their respective systems are not susceptible to abuse and exploitation.
Meanwhile, as the
FUD
packer that Mallox is using appears to be a step ahead of the current security solutions that most organizations use, it might be time to step up the game and add AI- and machine learning-based file checking and behavior monitoring solutions to the mix, the researchers noted.
Moreover, best practices for network blocking as well as specific ransomware detection and blocking measures also can provide a multi-layered approach to mitigate the impact of the risks that these threats present.
Organizations should encourage and implement redundant exercises ensuring users awareness of their own systems and networks to prevent intrusion attempts and execution of malicious activities, the researchers wrote.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics