HomeCII/OTMallox Ransomware Employs a Fresh Infection Tactic

Mallox Ransomware Employs a Fresh Infection Tactic

Published on

spot_img

A modified version of the Mallox ransomware has been discovered by researchers at Cyble Research and Intelligence Labs (CRIL). This new variation appends the “.malox” file extension to encrypted files, instead of the previous “.mallox” extension. However, the change in file extension is not the only update to this ransomware variant.

Unlike the previous version, which required a downloader to fetch the ransomware payload from a remote server, this new variant embeds the payload within a batch script and injects it into “MSBuild.exe” without saving it on the disk. This new infection methodology is similar to the distribution of Remote Access Trojans (RATs) and stealers, employing a technique known as BatLoader.

The initial infection occurs when users click on an attachment in a spam email. The attachment can either be an executable file that downloads BatLoader from a remote server or contain BatLoader directly. The batch script used in this case is obfuscated, using randomly defined variables to execute commands.

According to the CRIL report, this new method eliminates the need for a downloader to retrieve the ransomware payload, making it more difficult to detect and remove. The batch script dynamically loads the Mallox ransomware program and injects it into MSBuild.exe, allowing the ransomware to run within the program, further enhancing its ability to evade detection.

The impact of the Mallox ransomware has been significant, with over 20 publicly disclosed victims from over 15 countries. India has been the most targeted nation, followed by the United States. The majority of victims belong to the Manufacturing, Energy & Utilities sectors, IT & ITES, and Professional Services Industries.

To strengthen defenses against ransomware attacks, the CRIL report recommends regularly backing up data and keeping offline or separate network backups. Enabling automatic software updates and utilizing reputable antivirus and internet security software on all connected devices is also advised. Additionally, caution should be exercised when opening untrusted links and email attachments, verifying their authenticity before proceeding.

In the event that systems are already infected with ransomware, the security team should disconnect infected devices from the network and any external storage devices connected to them. System logs should also be reviewed for any suspicious events.

The discovery of this modified version of the Mallox ransomware serves as a reminder of the ever-evolving nature of cyber threats. Cybersecurity measures must continually adapt to keep pace with these evolving threats to effectively protect against ransomware attacks. By following the recommended best practices and remaining vigilant, organizations can mitigate the risk of falling victim to ransomware attacks.

Source link

Latest articles

Scattered Spider Suspect Extradited from Finland to the United States

Suspected Cybercriminal Extradited to U.S. from Finland: Peter Stokes and the Scattered Spider Group In...

Researcher Discusses Release of Undisclosed Zero-Day Exploits

A pseudonymous security researcher, operating under the monikers ‘bikini’ and ‘ashdfrkl’ on various platforms,...

Opera Browser Introduces Native Paste Protection to Prevent Clipboard Hijacking and Code Injection Attacks

Opera Software has recently rolled out a new native security feature known as “Paste...

Navigating Identity, Access, and Data Protection for AI Agents Webinar

Navigating the Complexities of AI Security: Insights from Okta and Zscaler In today's rapidly advancing...

More like this

Scattered Spider Suspect Extradited from Finland to the United States

Suspected Cybercriminal Extradited to U.S. from Finland: Peter Stokes and the Scattered Spider Group In...

Researcher Discusses Release of Undisclosed Zero-Day Exploits

A pseudonymous security researcher, operating under the monikers ‘bikini’ and ‘ashdfrkl’ on various platforms,...

Opera Browser Introduces Native Paste Protection to Prevent Clipboard Hijacking and Code Injection Attacks

Opera Software has recently rolled out a new native security feature known as “Paste...