Mallox ransomware, a multi-extortion threat active since mid-2021, has shifted to a Ransomware-as-a-Service model since mid-2022.
Initially targeting Windows systems with.NET,.EXE, or.DLL payloads, Mallox now includes Linux variants delivered via custom Python scripts, which infiltrate exposed MS-SQL servers or exploit phishing emails to steal victim data and encrypt files with the “.locked” extension.
A Python script (web_server.py) acting as a Mallox ransomware control panel allows registered users to build custom ransomware for Linux systems.
The script utilizes a backend database with environment variables for credentials and offers functionalities like user management, login, build creation/download, and chat.
It includes a hardcoded IP address (185.73.125.6) that facilitates building ransomware based on user-provided configurations and generates downloadable folders containing the compiled ransomware executable, decryptor, and configuration file.
The analysis suggests that the ransomware used a unique obfuscation method, where the base64-encoded configuration string appears to be non-standard, while the decryption process involves a three-step approach: firstly, conversion from base64 to hexadecimal format.
Secondly, an XOR operation is performed using a fixed key (155 decimal), and the decryption is completed with AES-256-CBC using a predefined initialization vector (IV) and key that successfully retrieves the ransomware’s configuration after decryption.
The ransomware utilizes AES-256 CBC encryption, similar to the decryption process used on the configuration file itself.
Two key pieces of information for decryption are included: the initialization vector (iv) ‘/4EvHTiTUuIMrzjYSpnVLQ==’ and the key ‘Byw184x2xrm0qF7sR7fptq1F/96GeD2TAYwbZDSX9dM=’.
Since AES is a symmetric algorithm, this same key and iv can decrypt all encrypted files. Following encryption, Mallox appends the extension “.lmallox” to the affected files and drops a ransom note named “READ_THIS_NOW.txt.”.
Uptycs Threat Research discovered a system where a decryptor file is available for download alongside its corresponding encryptor. The decryptor location follows a specific format: 185.[.]73.[.]125.[.]6/output/{build-id}/decryptor, where {build-id} is a unique identifier.
The team identified and collected 7 decryptors for different encryptors, with corresponding build-ids listed: 1a2040656ec7ac34, 7cc49d60f71e4ca4, 84bb1f05ce370665, 928bc7bf4d954d3d, b90ae4c6e011c45e, f6b040a56afcb6fb, and F65bccf063ee3cc6.
This information suggests a potential centralized repository for decryptor tools associated with specific encryption malware variants.
An analysis of potential indicators of compromise (IOCs) revealed suspicious file names, IP addresses, and MD5 hashes, which originated from outside typical locations and could be linked to malicious activity.
The MD5 hashes are likely associated with malware executables, including potential encryptors and decryptors, suggesting a possible ransomware attack.