The Mallox ransomware group has recently shifted its focus towards VMWare ESXi environments with the introduction of a new Linux variant that utilizes a unique technique to deliver and execute its malicious payload exclusively on machines with elevated user privileges. This tactic was unearthed by cybersecurity researchers at Trend Micro, who monitor Mallox under the alias TargetCompany. According to a blog post published on June 5, the variant is programmed to verify if the target system is operating within a VMWare ESXi environment and possesses administrative rights before initiating an attack.
Originating in June 2021, Mallox, also recognized as Fargo and Tohnichi, boasts of infecting numerous organizations across the globe, encompassing various sectors such as manufacturing, retail, wholesale, legal, and professional services. The group has exhibited heightened activity this year in countries like Taiwan, India, Thailand, and South Korea, as per Trend Micro’s findings.
The advent of a custom shell script within the newly identified Linux variant marks a significant advancement for Mallox, as it signifies a departure from conventional methods to disrupt and potentially enhance the prospects of a successful ransom payout. Furthermore, the variant’s orchestrator, a Mallox affiliate designated as “vampire,” hints at the group’s involvement in broader campaigns with substantial ransom demands and extensive targeting of IT systems, as highlighted in the post by Trend Micro researchers Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo.
The utilization of a custom shell underscores Mallox’s continual evolution towards adopting more sophisticated techniques in its forthcoming attacks, illustrating a prevailing trend among ransomware groups to extend their reach into critical Linux environments. Alongside delivery and execution, the custom shell also facilitates the exfiltration of victim information to two distinct servers, thus ensuring that the ransomware operators possess a backup of the stolen data. Mallox frequently employs a leak site under the same name to publish data pilfered from its ransomware assaults.
Upon activation, the latest variant undertakes an assessment of the system to ascertain whether the executable has administrative rights. If this condition is not met, the activity halts abruptly. Subsequently, a text file named “TargetInfo.txt” is generated with pertinent victim information and dispatched to a command-and-control (C2) server, mirroring the behavior seen in the Windows version of Mallox ransomware.
Moreover, the binary conducts a verification process to identify if the machine is running on a VMWare ESXi environment by validating the system name against “vmkernel,” an indicator of VMware’s ESXi hypervisor presence. Upon verification, the encryption routine is executed, culminating in the data being locked with an extension “.locked” and a ransom note named “HOW TO DECRYPT.txt”. These alterations in the extension and ransom note deviate from the Windows variant, as outlined by the researchers.
The custom shell script not only facilitates the download and execution of the payload but also conducts data exfiltration to an alternate server. By scanning the contents of the dropped text file, the variant uploads this data to another URL following the ransomware’s operation. Notably, victim information is transmitted to two separate servers to fortify redundancy and establish a contingency plan in the event of server unavailability or compromise.
Subsequent to the ransomware’s activity, the script erases the TargetCompany payload, imparting added complexity for defenders to gauge the full extent of the attack, thereby impeding the investigative process and incident response.
With a heightened focus on expanding its attack perimeter to Linux environments utilizing VMware ESXi, Mallox demands heightened caution from organizations falling within this category. To combat ransomware attempts and safeguard the integrity of organizational assets, the researchers advocate the implementation of established cybersecurity measures.
Recommendations include the enforcement of multifactor authentication (MFA) to impede lateral movement by attackers, adherence to the “3-2-1 rule” for backing up essential files, and a steadfast commitment to patching and updating systems regularly to deter malicious exploitation of software vulnerabilities. By diligently adhering to these best practices, organizations can bolster their defenses against the evolving threat landscape posed by ransomware groups like Mallox.