Tag :
Cyber Security

Analysis of Mallox Ransomware

Introduction

Sangfor FarSight Labs recently captured a new variant of the Mallox ransomware strain that infects victims by using complex control-flow obfuscation techniques to modify its binary signatures and avoid the static analysis of security software.

The new variant enables attackers to hack into systems and collect information by cracking weak passwords for SQL Server. Then, the attackers install the remote desktop software, such as AnyDesk, to take control of the system and execute the double extortion ransomware, which exfiltrates system files, encrypts the files by using the encryption suffix .mallox, and then displays the following message.

According to the Mallox data exfiltration blog, researchers observed an uptick in Mallox ransomware activities since March of this year.

Behavior Analysis

Avoidance of static analysis

To avoid the static analysis of security software, the ransomware sample uses control-flow obfuscation techniques to insert a number of meaningless jump code blocks between instruction snippets, which jump to pre-calculated addresses according to JMP instructions. The obfuscated snippets can be skipped during dynamic debugging by compiling the runtime script provided by the debugger.

Preparation for file encryption

Creates an event object named 89A72EF01 for synchronization to prevent files from being encrypted multiple times.

Loads powrprof.dll and sets the power plan to High Performance mode (GUID 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c) by calling the PowerSetActiveScheme

Enables the SeTakeOwnershipPrivilege and SeDebugPrivilege privileges for its processes by calling the OpenProcessToken and AdjustTokenPrivileges

Creates a window and calls the ShutdownBlockReasonCreate function to display the following message when users try to shut down their computers: Do NOT shut down OR reboot your PC: this might damage your files permanently!

Removes the Shut down, Restart, and Sign out options from the Start menu by configuring the following registry entries: SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown, SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart, and SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut.

Disables User Account Control (UAC) authentication by configuring the following registry entry: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

Calls CMD to disable the recovery mode by running the following command: bcdedit /set {current} bootstatuspolicy ignoreallfailures, bcdedit /set {current} recoveryenabled no.

Launches vssadminto delete volume shadow duplicates by running the following command: C:\Windows\sysnative\vssadmin.exe delete shadows /all /quiet.

Disables services that may affect its encryption activities.

System file encryption

Once the ransomware sample completes the preceding operations, the sample starts its encryption module, which calls the GetLogicalDrives function to obtain information about all disks in the system, the FindFirstFile function to enumerate all files, and the Crypt function of Microsoft to encrypt files.

The files in the following directories are not encrypted. The following files are not encrypted.

The files with the following extensions are not encrypted.

Indicators of Compromise (IOCs)

URL

http://91.215.85.142/QWEwqdsvsf/ap.phpHASH

Hash

1C459E171A2FB806F4D284B954D221D9

Solutions

Ransomware Prevention Strategies

Do not make services available on an external network. In cases where this is unavoidable, then use strong passwords. Do not open suspicious or unexpected emails, especially the links and attachments in them. Use antivirus software to scan an unknown file before opening it (if you have to do so). Install antivirus software, perform regular system scans, remove detected threats, and regularly install updates and patches. Download products via official and verified channels, and activate and update products using tools or functions provided by the official developer. Illegal activation tools and third-party downloaders are not recommended, as they are often used to distribute malicious content. Implement a dual backup strategy for important data or back it up in the cloud.

Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

What is Brain Cipher? The Ransomware that Took Down the Indonesian National Data Center

Date : 01 Jul 2024
Read Now

XZ Utils Supply Chain Compromise

Date : 15 Apr 2024
Read Now

New TellYouThePass Ransomware Variant Discovered In The Wild

Date : 25 Mar 2024
Read Now

See Other Product

Platform-X
Sangfor Access Secure
Sangfor SSL VPN
Best Darktrace Cyber Security Competitors and Alternatives in 2024
Sangfor Omni-Command
Replace your Enterprise NGAV with Sangfor Endpoint Secure

Meet the Author

sangfor building image

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail