Mallox Ransomware: Linux Variant Decryptor Found

Overview

Mallox ransomware, which is also known as Fargo, TargetCompany, Mawahelper, and so on, has been active since mid-2021. Their operation was also observed in transitioning into the Ransomware-as-a-Service distribution model from mid-2022.

Mallox group focuses on multi-extortion, encrypting their victims’ data and threatening to post it on their public TOR-based sites.

At initial versions, Mallox payloads are usually .NET-based, .EXE, or .DLL files which were spread through various methods, including exposed MS-SQL servers and phishing or spam emails to target Windows systems.

Now, the new Mallox ransomware Linux variants have been found in the wild. The attackers are using custom python scripts for the purpose of payload delivery and victim's information exfiltration. The malware encrypts user data and appends .locked extension to the encrypted files.

Figure 1: Mallox ransomware diamond model

Technical Analysis

The Uptycs Threat Research team discovered a Python script named web_server.py during their investigation. Upon examining its contents and functions, it was identified as The Flask based Mallox ransomware web panel that can be used to create a fast and customizable ransomware for linux systems. The script connects to a backend database using environment variables for database credentials. It includes routes for user authentication, build management, and admin functions, supporting new user registration, login, password reset, and ransomware build creation, management, and downloading. Admins can manage users, view logs, and perform account actions. Additionally, the application features user profile management, a chat interface for builds, and a custom 404 error page.

Figure 2-Jul-03-2024-11-58-47-0139-AM Figure 2: Web_Server.py script contents

The script (web_server.py) essentially creates a Mallox ransomware encryptor along with a decryptor for any user who registers. It contains an IP address: 185[.]73[.]125[.]6 in the host IP field. This ip is mainly used by someone to build newly linux ransomware builder for Mallox based on used config file, latter can be used for encrypt the system Following that 185[.]73[.]125[.]6/output reveals the following contents:

Figure 3-Jul-03-2024-12-25-36-0581-PM Figure 3: Index of /output

The above screenshot displays build IDs, and opening any of the links reveals the encryptor, decryptor, and config.json files.

Figure 4-Jul-03-2024-12-28-06-1511-PM Figure 4: Index of /output/{build-id}

Encryptor

Let's discuss the Ransomware Encryptor. Upon examining the strings of the sample, we notice a base64-encoded content that appears not to be standard base64.

Figure 5-Jul-03-2024-11-58-47-8591-AM Figure 5: Encrypted config

The above base64 content is converted to hex and then xor with 0x9b (155 decimal) and then AES-256-CBC decryption with "iv": "/4EvHTiTUuIMrzjYSpnVLQ==", "key": "Byw184x2xrm0qF7sR7fptq1F/96GeD2TAYwbZDSX9dM="

Figure 6-Jul-03-2024-12-35-01-8028-PM Figure 6: Decryption logic

After decrypting all the base-64 encoded content using the above logic, we obtained the ransomware configuration

Figure 7-4 Figure 7: Decrypted config

We can see the entire configuration below which includes ransom-note,Client ID,BTC Address,Amount (USD),Deadline, Tox chat ID,note_name,persist,target-id and targeted directories.

Figure 8-3 Figure 8: Ransomware Configuration

From the above configuration, it is evident that the payload is Mallox Ransomware. The ransomware uses the same AES-256 CBC encryption to encrypt files on the victim's machine (similar to decrypting the config), with 'iv': '/4EvHTiTUuIMrzjYSpnVLQ==' and 'key': 'Byw184x2xrm0qF7sR7fptq1F/96GeD2TAYwbZDSX9dM='. AES is a symmetric algorithm and for any encrypted file it can be decrypted with the same key and IV. After encryption the Ransomware appends extension .lmallox and drops a Ransomnote with name READ_THIS_NOW.txt

Figure 9-2 Figure 9: Ransom-note

Decryptor

Decryptor file is available on 185[.]73[.]125[.]6/output/{build-id}/decryptor for the corresponding encryptor. Uptycs Threat Research team has collected 7 decryptors for their corresponding encryptors for the following build-ids (chat-id):

1a2040656ec7ac34
7cc49d60f71e4ca4
84bb1f05ce370665
928bc7bf4d954d3d
b90ae4c6e011c45e
f6b040a56afcb6fb
F65bccf063ee3cc6

Uptycs XDR Coverage

Uptycs demonstrates robust detection capabilities, featuring built-in YARA support and advanced functionality for identifying such campaign activity threats with the detailed descriptions.

The Following Figure shows the Uptycs detection

Figure 10-2 Figure 10: Uptycs detection

Hunting for Mallox Infrastructure

Following graph show the how can we hunt for current mallox hosted server by performing following query on FOFA or Censys

fofa query: "http://mallox-2.example.com"
censys query: "http://mallox-2.example.com"

Figure 11-2 Figure 11: Hunting Mallox ransomware Infrastructure

Indicators of Compromise

Indicator Type	Indicators	File name
IP	185[.]73[.]125[.]6
IP	91[.]215[.]85[.]142
IP	91[.]215[.]85[.]135
MD5	3dde1507996cf8c3dd53a726501be33b	Webserver.py
MD5	b0770b7f24a436d256f2d58fc8581a18	decryptor
MD5	231478ff24055d5cdb5fbec36060c8ff	encryptor
MD5	51d51696c7f3a0e3fba4b8ceab210bac	decryptor
MD5	8d0fd41d35df82d3e7e2ff5c1747b87c	encryptor
MD5	e9e087c52b97c7a3e343642379829e0a	decryptor
MD5	68785d476573955d50a3908dc18bf73b	encryptor
MD5	cb60ad37c9a632c697fb2da7add7ccb5	decryptor
MD5	6bb2752ea73b4d6a5c33f543b5c29461	encryptor
MD5	1448ce8abc2f0184ec898d55f9c338b4	decryptor
MD5	5b0c1958a875c205951b88fd1c885900	encryptor
MD5	7f099845d8e6849d6ab4d64b546477d6	decryptor
MD5	4825f3a92780be4a285583b0f24fed99	encryptor
MD5	be08c3e95df5992903a69e04cbab22e3	decryptor
MD5	779aa15cd6a8d416e7f722331d87f47b	encryptor

Yara detection:

Yara Detection Code-1