Mallox Ransomware Being Distributed in Korea

AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the Mallox ransomware during the team’s monitoring. As covered before, Mallox, which targets vulnerable MS-SQL servers, has historically been distributed at a consistently high rate based on AhnLab’s statistics.

Figure 1. Ransomware statistics for Q4 2022

The malware disguised as a program related to DirectPlay is a file built in .NET which, as shown in Figure 3, connects to a certain address, downloads additional malware, and runs it in the memory. If this address cannot be reached during this process, attempts are made continuously through an infinite loop statement. Although the address that downloads additional malware for the malware being covered in this post currently cannot be accessed, considering that it shares the same domain address connected to the Mallox ransomware that the ASEC analysis team had acquired back in February, it can be assumed that this domain is the main distribution site of Mallox.

  • hxxp://80.66.75[.]36/a-Vxnwcwh.dat (February)
  • hxxp://80.66.75[.]36/a-Ubxdzddvl.png (March)
Figure 2. Malware disguised as a DirectPlay program
Figure 3. Download of additional malware

The additional malware that is downloaded is a data file encoded in Base64. Decoding and reversing this file reveals that it is a DLL file built using .NET.

Figure 4. A portion of the downloaded data file
Figure 5. A portion of the decoded DLL file

The loaded DLL performs a delayed behavior through PowerShell and runs recursion on the process before injection.

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgAwAA==
→ “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” start-sleep -seconds 60
Table 1. Delayed behavior

The ransomware is able to exclude certain language environments from infection based on the PC’s language settings.

Figure 6. Logic that checks the PC’s language settings
Lang IDCountry
Table 2. UserDefaultLangID

After the LangID scan is complete, it performs commands to delete the registry, disable recovery, and terminate SQL-related services and processes.

Figure 7. Registry deletion
Figure 8. Recovery deactivation and SQL processes termination
Figure 9. SQL services deletion
“C:\Windows\System32\cmd.exe” /C sc delete “MSSQLFDLauncher”&&sc delete “MSSQLSERVER”&&sc delete “SQLSERVERAGENT”&&sc delete “SQLBrowser”&&sc delete “SQLTELEMETRY”&&sc delete “MsDtsServer130″&&sc delete “SSISTELEMETRY130″&&sc delete “SQLWriter”&&sc delete “MSSQL$VEEAMSQL2012″&&sc delete “SQLAgent$VEEAMSQL2012″&&sc delete “MSSQL”&&sc delete “SQLAgent”&&sc delete “MSSQLServerADHelper100″&&sc delete “MSSQLServerOLAPService”&&sc delete “MsDtsServer100″&&sc delete “ReportServer”&&sc delete “SQLTELEMETRY$HL”&&sc delete “TMBMServer”&&sc delete “MSSQL$PROGID”&&sc delete “MSSQL$WOLTERSKLUWER”&&sc delete “SQLAgent$PROGID”&&sc delete “SQLAgent$WOLTERSKLUWER”&&sc delete “MSSQLFDLauncher$OPTIMA”&&sc delete “MSSQL$OPTIMA”&&sc delete “SQLAgent$OPTIMA”&&sc delete “ReportServer$OPTIMA”&&sc delete “msftesql$SQLEXPRESS”&&sc delete “postgresql-x64-9.4″&&rem Kill “SQL”&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
Table 3. Parameters to delete SQL services

In addition, shutdown warning messages, additional registry settings, and exfiltration of infected PC information are performed for more sophisticated infection behavior. Infection is also applied to the following files targeted for encryption.

Figure 10. Registry configuration
Figure 11. Information theft
desktop.ini ntuser.dat thumbs.db iconcache.db ntuser.ini ntldr bootfont.bin ntuser.dat.log boot.ini autorun.inf debugLog.txt TargetInfo.txt
Table 4. Files excluded from infection
.msstyles .icl .idx .avast .rtp .mallox .sys .nomedia .dll .hta .cur .lock .cpl .Globeimposter-Alpha865qqz .ics .hlp .com .spl .msi .key .mpa .rom .drv .bat .386 .adv .diangcab .mod .scr .theme .ocx .prf .cab .diagcfg .msu .cmd .ico .msc .ani .icns .diagpkg .deskthemepack .wpx .msp .bin .themepack .shs .nls .exe .lnk .ps1 .mallox
Table 5. Extensions excluded from infection
msocache; $windows.~ws; system volume information; intel; appdata; perflogs; programdata; google; application data; tor browser; boot; $windows.~bt; mozilla; boot; windows.old; Windows Microsoft.NET; WindowsPowerShell; Windows NT; Windows; Common Files; Microsoft Security Client; Internet Explorer; Reference; Assemblies; Windows Defender; Microsoft ASP.NET; Core Runtime; Package; Store; Microsoft Help Viewer; Microsoft MPI; Windows Kits; Microsoft.NET; Windows Mail; Microsoft Security Client; Package Store; Microsoft Analysis Services; Windows Portable Devices; Windows Photo Viewer; Windows Sidebar
Table 6. Paths excluded from infection

Figure 12 is a screenshot of a ransom note. Files are encrypted with [Original File Name].mallox as their new filenames.

Figure 12. Ransom note

To prevent ransomware infection, users must be cautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware program while also keeping the program updated to the latest version.

V3 detects this malware in the following way.

[File Detection]

  • Ransomware/Win.Mallox.C5391834 (2023.03.07.02)
  • Ransomware/Win.Mallox.R558884 (2023.02.18.03)
  • Data/BIN.Encoded (2023.03.09.00)

[Behavior Detection]

  • Malware/MDP.Inject.M218


  • MD5
    – 0646ae6d3584f81c257485ade2624e71 (Initial loader)
    – efe4fffe822e92cf222c31178b95e112 (Base64-encoded DLL)
    – b48fe2132ce656be3754560ea9ce8e4e (Base64-decoded DLL)
    – 0c7c3ea4c20de5d632be7beddd01c1ba (Mallox ransomware)
  • C&C
    – hxxp://80.66.75[.]36/a-Ubxdzddvl.png
    – hxxp://80.66.75[.]36/a-Vxnwcwh.dat

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] post Mallox Ransomware Being Distributed in Korea appeared first on ASEC […]