Cybersecurity researchers at Cyble have discovered a new variation of the Mallox ransomware, also known as “Targetcompany”. The malware uses a unique method of delivery and launching on target devices and employs a new principle of assigning names with encrypted files. Mallox is particularly harmful to industries such as production, energy and utilities, IT and professional services.
The infection chain begins with the malicious investment by email, which can contain either the executable malicious file or the Batloader bootloader. This then downloads Mallox from the criminals’ C2 server, subsequently installing it into the victim’s system with several more scripts and malicious files.
Unlike previous methods of infection, the new version of Mallox carries the mount program’s useful load in the packet script. The program is then entered into “Msbuild.exe” without preservation on the disk.
The PowerShell script used by attackers can disconnect about 600 different processes that may interfere with the operation of the malware and about 200 system services. When the platform for the workshop is cleared, the malware begins actively to encrypt the personal data of the victims.
In previous versions of Mallox, encrypted files received extensions that coincide with the name of the attacking company. In the new version, hackers returned to the usual “.Malox” or “.Mallox” depending on the specific copy of the virus.
After completing the encryption process, the malware places a note in direct sight of the victim with the ransom requirement called “File Recovery.txt.”
The Mallox virus has publicly disclosed the stolen data of more than 20 companies from 15 different countries. India is the most targeted country, followed by the United States.
The introduction of new methods of infection suggests that the cybercrime group responsible for the Mallox ransomware is actively changing its TTP, increasing the secrecy and effectiveness of its malicious activity.
To prevent possible cyber attacks and loss of important data, the researchers recommend using a reliable antivirus solution and proven software on all devices, timely updating software, refraining from opening unreliable links and email investments, and regularly making backups of important data.
Cyber extortion attacks remain one of the most destructive threats for any business. Compliance with recommended cybersecurity measures will help avoid the loss of valuable and confidential data and prevent financial and reputational losses.