Mallox Ransomware Group Enhances Malware Variants and Evasion Tactics

August 7, 2023

The Mallox ransomware group, also known as TargetCompany, Fargo, and Tohnichi, has stepped up its attacks on organizations with vulnerable SQL servers. It has introduced a new variant and various other malware tools to maintain persistence and evade detection. The group emerged in June 2021 and has been gaining momentum since. In its recent attacks, it has combined its custom ransomware with two proven malware products — the Remcos RAT and the BatCloak obfuscator, as revealed by researchers from TrendMicro.

The group's method of gaining access to targeted organizations' networks has remained consistent — exploiting vulnerable SQL servers to persistently deploy its first stage. The group typically exploits two remote code execution (RCE) vulnerabilities in SQL, CVE-2020-0618 and CVE-2019-1068, in its attacks. However, the group has also started changing its tactics in later stages of the attack to maintain a stealthy presence on targeted networks and hide its malicious activity.

The researchers found that the group tries various methods to achieve persistence, such as changing the URLs or applicable paths until it successfully finds an area to execute the Remcos RAT. The group also used the hacking tool Metasploit, which was deployed in a later stage of the attack before the Remcos RAT concludes its final routine, to load Mallox ransomware wrapped in the FUD packer.

The use of FUD packers and Metasploit are not new tactics, but it demonstrates how Mallox, like other attackers, will continue to innovate even the simplest means of abuse to evade defenses put up by organizations. The researchers noted that security teams and organizations should not underestimate its effectiveness in circumventing current and established security solutions.

The researchers expect that the majority of Mallox' victims still have vulnerable SQL Servers that are being exploited to gain entry. To combat this, security teams should have visibility into their patching gaps, and check all possible attack surfaces to ensure their systems are not susceptible to abuse and exploitation.

As the FUD packer that Mallox is using appears to be a step ahead of the current security solutions that most organizations use, it might be time to add AI- and machine learning-based file checking and behavior monitoring solutions to the mix. The researchers also suggest implementing best practices for network blocking as well as specific ransomware detection and blocking measures.

Latest News

• Critical Citrix ADC Vulnerability: PoC Released for 0-day Flaw - CVE-2023-3519
• Critical Vulnerability in PaperCut Software Exposes Unpatched Servers to Remote Code Execution Attacks
• Top Exploited Cybersecurity Vulnerabilities of 2022 Unveiled by FBI, CISA, and NSA
• Milesight Industrial Router Faces Multiple RCE Vulnerabilities: Cisco Talos Report
• Ivanti Reveals Critical Authentication Bypass Vulnerability in MobileIron Core