Overview

Mallox ransomware, which is also known as Fargo, TargetCompany, Mawahelper, and so on, has been active since mid-2021. Their operation was also observed in transitioning into the Ransomware-as-a-Service distribution model from mid-2022.

Mallox group focuses on multi-extortion, encrypting their victims’ data and threatening to post it on their public TOR-based sites.

At initial versions, Mallox payloads are usually .NET-based, .EXE, or .DLL files which were spread through various methods, including exposed MS-SQL servers and phishing or spam emails to target Windows systems. 

Now, the new Mallox ransomware Linux variants have been found in the wild. The attackers are using custom python scripts for the purpose of payload delivery and victim's information exfiltration. The malware encrypts user data and appends .locked extension to the encrypted files.

Figure 1: Mallox ransomware diamond model

Technical Analysis

The Uptycs Threat Research team discovered a Python script named web_server.py during their investigation. Upon examining its contents and functions, it was identified as The Flask based Mallox ransomware web panel that can be used to create a fast and customizable ransomware for linux systems. The script connects to a backend database using environment variables for database credentials. It includes routes for user authentication, build management, and admin functions, supporting new user registration, login, password reset, and ransomware build creation, management, and downloading. Admins can manage users, view logs, and perform account actions. Additionally, the application features user profile management, a chat interface for builds, and a custom 404 error page.

Figure 2: Web_Server.py script contents

The script (web_server.py) essentially creates a Mallox ransomware encryptor along with a decryptor for any user who registers. It contains an IP address: 185[.]73[.]125[.]6 in the host IP field. This ip is mainly used by someone to build newly linux ransomware builder for Mallox based on used config file, latter can be used for encrypt the system Following that 185[.]73[.]125[.]6/output reveals the following contents:

Figure 3: Index of /output

The above screenshot displays build IDs, and opening any of the links reveals the encryptor, decryptor, and config.json files.

Figure 4: Index of /output/{build-id}

Encryptor

Let's discuss the Ransomware Encryptor. Upon examining the strings of the sample, we notice a base64-encoded content that appears not to be standard base64.

Figure 5: Encrypted config

The above base64 content is converted to hex and then xor with 0x9b (155 decimal) and then AES-256-CBC decryption with "iv": "/4EvHTiTUuIMrzjYSpnVLQ==", "key": "Byw184x2xrm0qF7sR7fptq1F/96GeD2TAYwbZDSX9dM="

Figure 6: Decryption logic

After decrypting all the base-64 encoded content using the above logic, we obtained the ransomware configuration

Figure 7: Decrypted config

We can see the entire configuration below which includes ransom-note,Client ID,BTC Address,Amount (USD),Deadline, Tox chat ID,note_name,persist,target-id and targeted directories.

Figure 8: Ransomware Configuration

From the above configuration, it is evident that the payload is Mallox Ransomware. The ransomware uses the same AES-256 CBC encryption to encrypt files on the victim's machine (similar to decrypting the config), with 'iv': '/4EvHTiTUuIMrzjYSpnVLQ==' and 'key': 'Byw184x2xrm0qF7sR7fptq1F/96GeD2TAYwbZDSX9dM='. AES is a symmetric algorithm and for any encrypted file it can be decrypted with the same key and IV. After encryption the Ransomware appends extension .lmallox and drops a Ransomnote with name READ_THIS_NOW.txt

Figure 9: Ransom-note

Decryptor

Decryptor file is available on 185[.]73[.]125[.]6/output/{build-id}/decryptor for the corresponding encryptor. Uptycs Threat Research team has collected 7 decryptors for their corresponding encryptors for the following build-ids (chat-id):

• 1a2040656ec7ac34
• 7cc49d60f71e4ca4
• 84bb1f05ce370665
• 928bc7bf4d954d3d
• b90ae4c6e011c45e
• f6b040a56afcb6fb
• F65bccf063ee3cc6

Uptycs XDR Coverage

Uptycs demonstrates robust detection capabilities, featuring built-in YARA support and advanced functionality for identifying such campaign activity threats with the detailed descriptions.

The Following Figure shows the Uptycs detection

Figure 10: Uptycs detection

Hunting for Mallox Infrastructure

Following graph show the how can we hunt for current mallox hosted server by performing following query on FOFA or Censys

• fofa query: "http://mallox-2.example.com"
• censys query: "http://mallox-2.example.com"

Figure 11: Hunting Mallox ransomware Infrastructure

Indicators of Compromise

Yara detection: