Mallox Ransomware Group Enhances Malware Variants and Evasion Tactics

August 7, 2023

The Mallox ransomware group, also known as TargetCompany, Fargo, and Tohnichi, has stepped up its attacks on organizations with vulnerable SQL servers. It has introduced a new variant and various other malware tools to maintain persistence and evade detection. The group emerged in June 2021 and has been gaining momentum since. In its recent attacks, it has combined its custom ransomware with two proven malware products — the Remcos RAT and the BatCloak obfuscator, as revealed by researchers from TrendMicro.

The group's method of gaining access to targeted organizations' networks has remained consistent — exploiting vulnerable SQL servers to persistently deploy its first stage. The group typically exploits two remote code execution (RCE) vulnerabilities in SQL, CVE-2020-0618 and CVE-2019-1068, in its attacks. However, the group has also started changing its tactics in later stages of the attack to maintain a stealthy presence on targeted networks and hide its malicious activity.

The researchers found that the group tries various methods to achieve persistence, such as changing the URLs or applicable paths until it successfully finds an area to execute the Remcos RAT. The group also used the hacking tool Metasploit, which was deployed in a later stage of the attack before the Remcos RAT concludes its final routine, to load Mallox ransomware wrapped in the FUD packer.

The use of FUD packers and Metasploit are not new tactics, but it demonstrates how Mallox, like other attackers, will continue to innovate even the simplest means of abuse to evade defenses put up by organizations. The researchers noted that security teams and organizations should not underestimate its effectiveness in circumventing current and established security solutions.

The researchers expect that the majority of Mallox' victims still have vulnerable SQL Servers that are being exploited to gain entry. To combat this, security teams should have visibility into their patching gaps, and check all possible attack surfaces to ensure their systems are not susceptible to abuse and exploitation.

As the FUD packer that Mallox is using appears to be a step ahead of the current security solutions that most organizations use, it might be time to add AI- and machine learning-based file checking and behavior monitoring solutions to the mix. The researchers also suggest implementing best practices for network blocking as well as specific ransomware detection and blocking measures.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.