Mallox, also known as TargetCompany, FARGO, and Tohnichi, is a ransomware strain operated under the Ransomware-as-a-Service (RaaS) business model that has been active since June 2021.

The ransomware primarily targets unsecured MS-SQL servers to compromise victim networks. These attacks commence with a dictionary attack, which attempts to authenticate to the exposed MS-SQL servers using a list of known or commonly used passwords. After gaining access, the attackers leverage PowerShell to download the Mallox ransomware payload from a remote server.

Incident responders have also observed Mallox ransomware using tools such as network scanners and performing data exfiltration.

Investigators have found indications that the group has been expanding its operations by recruiting affiliates via underground forums. Affiliates of the RaaS program are those who conduct the attacks and collect the profits, which are then shared between the affiliate and the operator.

AttackIQ has released a new attack graph that brings together the post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by Mallox to help customers validate their security controls and their ability to defend against this disruptive and destructive threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors associated with the Mallox ransomware.
• Assess their security posture against an opportunistic adversary.
• Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

Mallox Ransomware – 2024-01 – Associated Tactics, Techniques, and Procedures (TTPs)

On July 20, 2023, Palo Alto Networks reported a threat assessment on Mallox ransomware, a ransomware strain operated under the Ransomware-as-a-Service (RaaS) business model that has been active since June 2021. Six months later, in January 2024, TrueSec published an article in which it shared insights into the incident response that allowed a Mallox ransomware victim to fully recover from the attack.

Initial Access & Execution – Payload Deployment

This stage begins with the download of a sample of Mallox ransomware via PowerShell and continues with the deployment of a PowerShell script which is executed with the ExecutionPolicy flag set to bypass. Once operational, the ransomware is executed using Windows Management Instrumentation (WMI).

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell’s -encodedCommand parameter.

Windows Management Instrumentation (T1047): This scenario executes a binary by creating a process using Windows Management Instrumentation (WMI).

Discovery & Persistence – Create Local Account

This stage performs the deployment of a batch script (BAT) used to perform the initial reconnaissance and obtain persistence by creating a new local account that will be immediately added to the local groups “Administrators” and “Remote Desktop Users”.

System Information Discovery (T1082): This scenario executes the systeminfo command to collect information about the compromised system.

System Network Configuration Discovery (T1016): This scenario executes route, ipconfig, nltest, net or arp commands to obtain the different information available about the network configuration.

Create Account: Local Account (T1136.001): This scenario attempts to create a new user into the system with the net user Windows command.

Account Manipulation (T1098): This scenario adds a local user to the local Administrators group using the net localgroup command.

Account Manipulation (T1098): This scenario adds a local user to the local Remote Desktop Users group using the net localgroup command.

Defense Evasion & Lateral Movement – Enable Remote Desktop Connections

This stage focuses on enabling Remote Desktop connections in order to infect neighboring systems. Initially, the registry keys fDenyTSConnections and LimitBlankPasswords, part of the Local Security Authority (LSA), will be modified. Subsequently, a rule is created in the local firewall via Netsh to allow Remote Desktop connections via port 3389. Finally, an attempt will be made to move laterally to an additional remote system via Remote Desktop Protocol (RDP).

Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Services\fDenyTSConnections is set to 0 which will enable remote access to the system using Remote Desktop.

Disable Limit Blank Password Use via Registry (T1562): This scenario disables the Limit Blank Password Use setting by setting the existing HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse registry key to 0.

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the netsh to create a new rule in the Windows System Firewall to allow Remote Desktop (port 3389/TCP) traffic into the targeted asset.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.

Discovery & Exfiltration – Local System Reconnaissance

This stage focuses on the reconnaissance of the system through Windows API calls. The purpose of this is to discover additional system information, such as name and location. This culminates in the exfiltration of the collected information through HTTP POST requests.

Virtualization/Sandbox Evasion (T1497): This scenario will call the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.

System Information Discovery (T1082): This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.

System Location Discovery (T1614): This scenario executes the GetLocaleInfoA Windows API to retrieve the user default country locale code from the local computer.

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): This scenario exfiltrates a pre-generated text file containing the output from a series of discovery commands executed by a threat actor. The file is exfiltrated using an HTTP POST request to an AttackIQ controlled test server.

Impact – Mallox Ransomware Encryption

This stage begins with the removal of Volume Shadow Copies via Vssadmin and continues with the removal of security event logs using Wevtutil. Finally, files are encrypted using an encryption scheme similar to the one used by Mallox ransomware.

Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

2. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

2a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity:

Via vssadmin.exe:

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

Via PowerShell:

Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

3. Data Encrypted for Impact (T1486):

Preventing systems and files from being encrypted should be a top priority. Ensuring that you have layered endpoint defenses including Antivirus and EDR solutions is critical.

3a. Detection

Ransomware attacks are best prevented and alerted by your EDR/AV Policies. Typically, a configuration for ransomware protection is presented and we strongly encourage that it is enabled in your security controls.

Detecting suspicious Data Exfiltration: Detecting exfiltration is well suited for IDS/IPS and DLP solutions. These products should be configured to identify sensitive files. If sensitive files, or a large amount of web traffic is sent to a rare external IP, it should be detected or prevented depending on security policies for the security control. Historical NetFlow data logging can also bubble up hosts that are experience uncommon peaks in outgoing traffic.

Detecting Ransomware-like File Encryption: Utilizing an EDR or SIEM/SOAR product can help detect and prevent suspicious file encryption related to ransomware attacks. Utilizing these tools to look for excessive file modifications (greater than 1000 on a system) within less than a minute of time is a good starting indicator.

To increase the fidelity a bit, you could include file modification of file extensions to popular ransomware extensions such as .conti, .Locky, .Ryuk, etc. If possible, with a SOAR or preventative EDR platform, we recommend setting these detections to kill all processes involved in creating the alert as it will most likely stop the spread of the Ransomware.

3b. Mitigation

MITRE ATT&CK Recommends the following mitigations:

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by Mallox ransomware operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.