Tag :
Cyber Security

Analysis of Mallox Ransomware

Introduction

Sangfor FarSight Labs recently captured a new variant of the Mallox ransomware strain that infects victims by using complex control-flow obfuscation techniques to modify its binary signatures and avoid the static analysis of security software.

The new variant enables attackers to hack into systems and collect information by cracking weak passwords for SQL Server. Then, the attackers install the remote desktop software, such as AnyDesk, to take control of the system and execute the double extortion ransomware, which exfiltrates system files, encrypts the files by using the encryption suffix .mallox, and then displays the following message.

According to the Mallox data exfiltration blog, researchers observed an uptick in Mallox ransomware activities since March of this year.

Behavior Analysis

Avoidance of static analysis

To avoid the static analysis of security software, the ransomware sample uses control-flow obfuscation techniques to insert a number of meaningless jump code blocks between instruction snippets, which jump to pre-calculated addresses according to JMP instructions. The obfuscated snippets can be skipped during dynamic debugging by compiling the runtime script provided by the debugger.

Preparation for file encryption

Creates an event object named 89A72EF01 for synchronization to prevent files from being encrypted multiple times.

Loads powrprof.dll and sets the power plan to High Performance mode (GUID 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c) by calling the PowerSetActiveScheme

Enables the SeTakeOwnershipPrivilege and SeDebugPrivilege privileges for its processes by calling the OpenProcessToken and AdjustTokenPrivileges

Creates a window and calls the ShutdownBlockReasonCreate function to display the following message when users try to shut down their computers: Do NOT shut down OR reboot your PC: this might damage your files permanently!

Removes the Shut down, Restart, and Sign out options from the Start menu by configuring the following registry entries: SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown, SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart, and SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut.

Disables User Account Control (UAC) authentication by configuring the following registry entry: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

Calls CMD to disable the recovery mode by running the following command: bcdedit /set {current} bootstatuspolicy ignoreallfailures, bcdedit /set {current} recoveryenabled no.

Launches vssadminto delete volume shadow duplicates by running the following command: C:\Windows\sysnative\vssadmin.exe delete shadows /all /quiet.

Disables services that may affect its encryption activities.

System file encryption

Once the ransomware sample completes the preceding operations, the sample starts its encryption module, which calls the GetLogicalDrives function to obtain information about all disks in the system, the FindFirstFile function to enumerate all files, and the Crypt function of Microsoft to encrypt files.

The files in the following directories are not encrypted. The following files are not encrypted.

The files with the following extensions are not encrypted.

Indicators of Compromise (IOCs)

URL

http://91.215.85.142/QWEwqdsvsf/ap.phpHASH

Hash

1C459E171A2FB806F4D284B954D221D9

Solutions

Ransomware Prevention Strategies

Do not make services available on an external network. In cases where this is unavoidable, then use strong passwords. Do not open suspicious or unexpected emails, especially the links and attachments in them. Use antivirus software to scan an unknown file before opening it (if you have to do so). Install antivirus software, perform regular system scans, remove detected threats, and regularly install updates and patches. Download products via official and verified channels, and activate and update products using tools or functions provided by the official developer. Illegal activation tools and third-party downloaders are not recommended, as they are often used to distribute malicious content. Implement a dual backup strategy for important data or back it up in the cloud.

Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Name
Email Address
Business Phone Number
Tell us about your project requirements

Related Articles

CVE-2024-47575: Fortinet FortiManager Authentication Vulnerability

Date : 25 Oct 2024
Read Now

CVE-2024-38819: Path Traversal Vulnerability

Date : 19 Oct 2024
Read Now

CVE-2024-40766: SonicWALL SonicOS Access Control Flaw Vulnerability

Date : 12 Sep 2024
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Platform-X
Sangfor Access Secure

Meet the Author

About Sangfor

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail