Threat Research Report Team

Mallox Ransomware: Linux Variant Decryptor Found | Uptycs

Written by Tejaswini Sandapolla & Shilpesh Trivedi | Jul 3, 2024 8:32:59 PM

 

Overview

Mallox ransomware, which is also known as Fargo, TargetCompany, Mawahelper, and so on, has been active since mid-2021. Their operation was also observed in transitioning into the Ransomware-as-a-Service distribution model from mid-2022.

Mallox group focuses on multi-extortion, encrypting their victims’ data and threatening to post it on their public TOR-based sites.

At initial versions, Mallox payloads are usually .NET-based, .EXE, or .DLL files which were spread through various methods, including exposed MS-SQL servers and phishing or spam emails to target Windows systems. 

Now, the new Mallox ransomware Linux variants have been found in the wild. The attackers are using custom python scripts for the purpose of payload delivery and victim's information exfiltration. The malware encrypts user data and appends .locked extension to the encrypted files.

Figure 1: Mallox ransomware diamond model

 

Technical Analysis

The Uptycs Threat Research team discovered a Python script named web_server.py during their investigation. Upon examining its contents and functions, it was identified as The Flask based Mallox ransomware web panel that can be used to create a fast and customizable ransomware for linux systems. The script connects to a backend database using environment variables for database credentials. It includes routes for user authentication, build management, and admin functions, supporting new user registration, login, password reset, and ransomware build creation, management, and downloading. Admins can manage users, view logs, and perform account actions. Additionally, the application features user profile management, a chat interface for builds, and a custom 404 error page.

Figure 2: Web_Server.py script contents

The script (web_server.py) essentially creates a Mallox ransomware encryptor along with a decryptor for any user who registers. It contains an IP address: 185[.]73[.]125[.]6 in the host IP field. This ip is mainly used by someone to build newly linux ransomware builder for Mallox based on used config file, latter can be used for encrypt the system Following that 185[.]73[.]125[.]6/output reveals the following contents:

Figure 3: Index of /output

The above screenshot displays build IDs, and opening any of the links reveals the encryptor, decryptor, and config.json files.

Figure 4: Index of /output/{build-id}

 

 

 

Encryptor

Let's discuss the Ransomware Encryptor. Upon examining the strings of the sample, we notice a base64-encoded content that appears not to be standard base64.

Figure 5: Encrypted config

The above base64 content is converted to hex and then xor with 0x9b (155 decimal) and then AES-256-CBC decryption with "iv": "/4EvHTiTUuIMrzjYSpnVLQ==", "key": "Byw184x2xrm0qF7sR7fptq1F/96GeD2TAYwbZDSX9dM="

Figure 6: Decryption logic

After decrypting all the base-64 encoded content using the above logic, we obtained the ransomware configuration

Figure 7: Decrypted config

We can see the entire configuration below which includes ransom-note,Client ID,BTC Address,Amount (USD),Deadline, Tox chat ID,note_name,persist,target-id and targeted directories.

Figure 8: Ransomware Configuration

From the above configuration, it is evident that the payload is Mallox Ransomware. The ransomware uses the same AES-256 CBC encryption to encrypt files on the victim's machine (similar to decrypting the config), with 'iv': '/4EvHTiTUuIMrzjYSpnVLQ==' and 'key': 'Byw184x2xrm0qF7sR7fptq1F/96GeD2TAYwbZDSX9dM='. AES is a symmetric algorithm and for any encrypted file it can be decrypted with the same key and IV. After encryption the Ransomware appends extension .lmallox and drops a Ransomnote with name READ_THIS_NOW.txt

Figure 9: Ransom-note

 

Decryptor

Decryptor file is available on 185[.]73[.]125[.]6/output/{build-id}/decryptor for the corresponding encryptor. Uptycs Threat Research team has collected 7 decryptors for their corresponding encryptors for the following build-ids (chat-id):

  • 1a2040656ec7ac34
  • 7cc49d60f71e4ca4
  • 84bb1f05ce370665
  • 928bc7bf4d954d3d
  • b90ae4c6e011c45e
  • f6b040a56afcb6fb
  • F65bccf063ee3cc6

 

Uptycs XDR Coverage

Uptycs demonstrates robust detection capabilities, featuring built-in YARA support and advanced functionality for identifying such campaign activity threats with the detailed descriptions.

The Following Figure shows the Uptycs detection

Figure 10: Uptycs detection

 

Hunting for Mallox Infrastructure

Following graph show the how can we hunt for current mallox hosted server by performing following query on FOFA or Censys

  • fofa query: "http://mallox-2.example.com"
  • censys query: "http://mallox-2.example.com"

Figure 11: Hunting Mallox ransomware Infrastructure

 

Indicators of Compromise

Indicator Type

Indicators

File name

IP

185[.]73[.]125[.]6

 

IP

91[.]215[.]85[.]142

 

IP

91[.]215[.]85[.]135

 

MD5

3dde1507996cf8c3dd53a726501be33b

Webserver.py

MD5

b0770b7f24a436d256f2d58fc8581a18

decryptor

MD5

231478ff24055d5cdb5fbec36060c8ff

encryptor

MD5

51d51696c7f3a0e3fba4b8ceab210bac

decryptor

MD5

8d0fd41d35df82d3e7e2ff5c1747b87c

encryptor

MD5

e9e087c52b97c7a3e343642379829e0a

decryptor

MD5

68785d476573955d50a3908dc18bf73b

encryptor

MD5

cb60ad37c9a632c697fb2da7add7ccb5

decryptor

MD5

6bb2752ea73b4d6a5c33f543b5c29461

encryptor

MD5

1448ce8abc2f0184ec898d55f9c338b4

decryptor

MD5

5b0c1958a875c205951b88fd1c885900

encryptor

MD5

7f099845d8e6849d6ab4d64b546477d6

decryptor

MD5

4825f3a92780be4a285583b0f24fed99

encryptor

MD5

be08c3e95df5992903a69e04cbab22e3

decryptor

MD5

779aa15cd6a8d416e7f722331d87f47b

encryptor

Yara detection: