AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the Mallox ransomware during the team’s monitoring. As covered before, Mallox, which targets vulnerable MS-SQL servers, has historically been distributed at a consistently high rate based on AhnLab’s statistics.
The malware disguised as a program related to DirectPlay is a file built in .NET which, as shown in Figure 3, connects to a certain address, downloads additional malware, and runs it in the memory. If this address cannot be reached during this process, attempts are made continuously through an infinite loop statement. Although the address that downloads additional malware for the malware being covered in this post currently cannot be accessed, considering that it shares the same domain address connected to the Mallox ransomware that the ASEC analysis team had acquired back in February, it can be assumed that this domain is the main distribution site of Mallox.
- hxxp://80.66.75[.]36/a-Vxnwcwh.dat (February)
- hxxp://80.66.75[.]36/a-Ubxdzddvl.png (March)
The additional malware that is downloaded is a data file encoded in Base64. Decoding and reversing this file reveals that it is a DLL file built using .NET.
The loaded DLL performs a delayed behavior through PowerShell and runs recursion on the process before injection.
|“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgAwAA==|
→ “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” start-sleep -seconds 60
The ransomware is able to exclude certain language environments from infection based on the PC’s language settings.
After the LangID scan is complete, it performs commands to delete the registry, disable recovery, and terminate SQL-related services and processes.
|“C:\Windows\System32\cmd.exe” /C sc delete “MSSQLFDLauncher”&&sc delete “MSSQLSERVER”&&sc delete “SQLSERVERAGENT”&&sc delete “SQLBrowser”&&sc delete “SQLTELEMETRY”&&sc delete “MsDtsServer130″&&sc delete “SSISTELEMETRY130″&&sc delete “SQLWriter”&&sc delete “MSSQL$VEEAMSQL2012″&&sc delete “SQLAgent$VEEAMSQL2012″&&sc delete “MSSQL”&&sc delete “SQLAgent”&&sc delete “MSSQLServerADHelper100″&&sc delete “MSSQLServerOLAPService”&&sc delete “MsDtsServer100″&&sc delete “ReportServer”&&sc delete “SQLTELEMETRY$HL”&&sc delete “TMBMServer”&&sc delete “MSSQL$PROGID”&&sc delete “MSSQL$WOLTERSKLUWER”&&sc delete “SQLAgent$PROGID”&&sc delete “SQLAgent$WOLTERSKLUWER”&&sc delete “MSSQLFDLauncher$OPTIMA”&&sc delete “MSSQL$OPTIMA”&&sc delete “SQLAgent$OPTIMA”&&sc delete “ReportServer$OPTIMA”&&sc delete “msftesql$SQLEXPRESS”&&sc delete “postgresql-x64-9.4″&&rem Kill “SQL”&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe|
In addition, shutdown warning messages, additional registry settings, and exfiltration of infected PC information are performed for more sophisticated infection behavior. Infection is also applied to the following files targeted for encryption.
|desktop.ini ntuser.dat thumbs.db iconcache.db ntuser.ini ntldr bootfont.bin ntuser.dat.log boot.ini autorun.inf debugLog.txt TargetInfo.txt|
|.msstyles .icl .idx .avast .rtp .mallox .sys .nomedia .dll .hta .cur .lock .cpl .Globeimposter-Alpha865qqz .ics .hlp .com .spl .msi .key .mpa .rom .drv .bat .386 .adv .diangcab .mod .scr .theme .ocx .prf .cab .diagcfg .msu .cmd .ico .msc .ani .icns .diagpkg .deskthemepack .wpx .msp .bin .themepack .shs .nls .exe .lnk .ps1 .mallox|
|msocache; $windows.~ws; system volume information; intel; appdata; perflogs; programdata; google; application data; tor browser; boot; $windows.~bt; mozilla; boot; windows.old; Windows Microsoft.NET; WindowsPowerShell; Windows NT; Windows; Common Files; Microsoft Security Client; Internet Explorer; Reference; Assemblies; Windows Defender; Microsoft ASP.NET; Core Runtime; Package; Store; Microsoft Help Viewer; Microsoft MPI; Windows Kits; Microsoft.NET; Windows Mail; Microsoft Security Client; Package Store; Microsoft Analysis Services; Windows Portable Devices; Windows Photo Viewer; Windows Sidebar|
Figure 12 is a screenshot of a ransom note. Files are encrypted with [Original File Name].mallox as their new filenames.
To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version.
V3 detects this malware in the following way.
- Ransomware/Win.Mallox.C5391834 (2023.03.07.02)
- Ransomware/Win.Mallox.R558884 (2023.02.18.03)
- Data/BIN.Encoded (2023.03.09.00)
– 0646ae6d3584f81c257485ade2624e71 (Initial loader)
– efe4fffe822e92cf222c31178b95e112 (Base64-encoded DLL)
– b48fe2132ce656be3754560ea9ce8e4e (Base64-decoded DLL)
– 0c7c3ea4c20de5d632be7beddd01c1ba (Mallox ransomware)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.