A modified version of the Mallox ransomware has been discovered by researchers at Cyble Research and Intelligence Labs (CRIL). This new variation appends the “.malox” file extension to encrypted files, instead of the previous “.mallox” extension. However, the change in file extension is not the only update to this ransomware variant.
Unlike the previous version, which required a downloader to fetch the ransomware payload from a remote server, this new variant embeds the payload within a batch script and injects it into “MSBuild.exe” without saving it on the disk. This new infection methodology is similar to the distribution of Remote Access Trojans (RATs) and stealers, employing a technique known as BatLoader.
The initial infection occurs when users click on an attachment in a spam email. The attachment can either be an executable file that downloads BatLoader from a remote server or contain BatLoader directly. The batch script used in this case is obfuscated, using randomly defined variables to execute commands.
According to the CRIL report, this new method eliminates the need for a downloader to retrieve the ransomware payload, making it more difficult to detect and remove. The batch script dynamically loads the Mallox ransomware program and injects it into MSBuild.exe, allowing the ransomware to run within the program, further enhancing its ability to evade detection.
The impact of the Mallox ransomware has been significant, with over 20 publicly disclosed victims from over 15 countries. India has been the most targeted nation, followed by the United States. The majority of victims belong to the Manufacturing, Energy & Utilities sectors, IT & ITES, and Professional Services Industries.
To strengthen defenses against ransomware attacks, the CRIL report recommends regularly backing up data and keeping offline or separate network backups. Enabling automatic software updates and utilizing reputable antivirus and internet security software on all connected devices is also advised. Additionally, caution should be exercised when opening untrusted links and email attachments, verifying their authenticity before proceeding.
In the event that systems are already infected with ransomware, the security team should disconnect infected devices from the network and any external storage devices connected to them. System logs should also be reviewed for any suspicious events.
The discovery of this modified version of the Mallox ransomware serves as a reminder of the ever-evolving nature of cyber threats. Cybersecurity measures must continually adapt to keep pace with these evolving threats to effectively protect against ransomware attacks. By following the recommended best practices and remaining vigilant, organizations can mitigate the risk of falling victim to ransomware attacks.