This site uses cookies to enhance your experience.  By continuing to visit this website, you consent to the use of these cookies. Click here to learn more about our privacy policy.

Sanfor Technologies Blog Background Image

The New Threat: Mallox Ransomware

2021-11-19
0
Mallox Ransomware

1. Mallox Ransomware Description

In October 2021 Mallox, a new type of ransomware, began attacking enterprises in Asia. This new ransomware is identified by encrypted files being given the suffix “. mallox”.

1

After Sangfor FarSight Labs Endpoint Security Team captured samples of this new malware strain, analysis found that Mallox was even more destructive than currently active ransomware. 

  1. Mallox adds a C# shell layer using common DLL hijacking technology to bypass security software.
  2. Mallox spread like a worm through file sharing and uses the same file retrieval technology as Search Artifact to attain rapid file retrieval and encryption.

Mallox can encrypt many files in a very short period of time, resulting in irreparable losses once it is installed on a company's computers.

 

2. Technical Analysis

To bypass anti-virus software, Mallox adds a C# shell layer to hide its malicious behavior, and uses SmartAssembly to obfuscate the C# shell, as seen below:

image2

AdvancedRun.exe is installed and run in the temp directory:

image3

AdvancedRun.exe presents a configuration window when started:

image4

 

Windows Defender is turned off:

image5

The Windows Defender directory is deleted:

image6

The AdvancedRun.exe file is then deleted:

image7

The script file Yubhigusnhbrkitykwictqkill$.bat is created in the temp directory:

image8

The operation of the script file Yubhigusnhbrkitykwictqkill$.bat is as follows, with the main functions being:

  1. Restoring the CMD default association by deleting the registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun".
  2. Setting security permissions for specified files and folders to prevent them from becoming inaccessible: cmd.exe, net.exe, net1.exe, mshta.exe, FTP.exe, wscript.exe, cscript.exe, powershell.exe, C: \ProgramData, C:\Users\Public.
  3. Deleting the shadow disk.
  4. Stopping and deleting specific programs and services, including security software and any related to line-of-business.

image9

The Visual Basic script Blffpekna.vbs is created in the temp directory to run Yubhigusnhbrkitykwictqkill$.bat:

image10

The Yubhigusnhbrkitykwictqkill$.bat script is run:

image11

MSBuild.exe in the .NET installation directory is copied into the temp directory:

12

The running MSBuild.exe process is identified, and the ransomware main module is injected into the MSBuild.exe process to bypass the security software:

image13

The main Mallox module is an exe file that implements the encryption functions. The following prepared is done before encryption:

  1. Excludes hosts in Russia, Kazakhstan, Russia, Ukraine and Qatar 
  2. Elevates permissions
  3. Deletes the registration form for Raccine
  4. Deletes the disk shadow
  5. Cancels the automatic startup repair mode
  6. Terminates the following program process:

 

image14

If a program is running under the debugger, an exception will be thrown when trying to use CloseHandle to close the handle returned by the FindFirstFile function which prevents the malware from being closed. The malware will prevent debugging from starting again:

image15

The number of encryption threads created are 2 times the number of existing processors with an upper limit of 64 threads:

image16

The encryption threads are synchronized using IOCP and encrypts target files found using the file traversal thread: 

image17

The Chacha20 algorithm (a variant of the Salsa20 stream cipher) is used to encrypt files with the encryption suffix ".mallox".

image18

Ransom information:

image19

Retrieve IP addresses from the ARP table to create a virus propagation thread:

image20

Name the malware file mall.exe and copy it through file sharing to the IP hosts from the ARP table, then create a corresponding service on the target systems. If the virus is run without a shell, it can be spread automatically:

image21

Obtain system disk information of all network disks, removable disks, and local disks. Create a thread for each disk that needs to be encrypted by traversing to find files:

image22

Use this method of reading USN logs to quickly retrieve disk files:

image23

Filter out the ransomware files and the files of the program itself:

image24

Then filter out the following suffix files:

image25

image26

Get the full path of the files and filter the following directories:

image27

image28

Send eligible files to the encryption thread for file encryption:

image29

 

3. Protection Recommendations

  1. Set up access permissions for important files and turn off unnecessary file sharing features.
  2. Perform regular non-local (offline) backups. 
  3. Use a highly secure host password and avoid multiple devices using the same password.
  4. Do not map ports like 3389 directly to the internet or an external network to prevent brute-force cracking.
  5. Avoid opening emails, links, and URL attachments of unknown origin.
  6. Do not download non-genuine software from unofficial sites.
  7. If you find that the file type does not match the original icon, you should scan the file using endpoint detection software to detect any malicious code within the file. 
  8. Regularly scan the system for vulnerabilities and install patches in a timely manner.

 

4. Using Sangfor Products:

image30

 

  1. Run anti-virus and vulnerability scans using Endpoint Secure.
  2. For users of Sangfor Cyber Command, NGAF, and Endpoint Secure, it is recommended that the system engines and signature databases are upgraded regularly. 
  3. Connect to Neural-X and use Cloud Sandbox to detect and defend against new threats.
  4. Sangfor provides free bot and virus removal tools to users. You can download the virus detection and protection tools here: https://page.sangfor.com/anti-bot-tool
  5. Sangfor Engine Zero malware detection engine is integrated into most Sangfor security products to provide precision defense against unknown viruses and malware.
  6. Sangfor has a suite of Security Assessment Services to help users quickly find gaps in their security architecture and develop remediation plans.
  7. Sangfor Security Assessment Services provide security device policy inspection, threat hunting & detection, and vulnerability inspections to ensure that risks are immediately identified, and remediation strategies developed to prevent successful attacks in the future.