Key highlights
- The variant specifically checks if a targeted system is running in a VMWare ESXi environment and has administrative rights. If these requirements are not met, it won’t proceed with an attack.
- The Linux variant uses a custom shell script for payload delivery and execution, a departure from Mallox’s previous methods.
- The adversary behind this variant is a Mallox affiliate known as “vampire,” suggesting broader campaigns with high ransom demands and extensive IT system targeting.
- The custom shell also exfiltrates victim information to two different servers, ensuring the ransomware actors have a backup of the data.
The Mallox ransomware group
The Mallox ransomware organization is targeting VMware ESXi setups with a new Linux strain that uses a novel mechanism to transmit and execute its payload only on workstations with high-level user capabilities.
The variant, discovered by Trend Micro researchers who monitor Mallox as TargetCompany, specifically determines whether a targeted system is running in a VMware ESXi environment has administrative rights, and will not launch an attack if these conditions are not met.
Selective targeting and privileged environments
Mallox, also known as Fargo and Tohnichi, first appeared in June 2021 and claims to have infected hundreds of organizations worldwide. The group's targeted sectors include manufacturing, retail, wholesale, legal, and professional services. According to Trend Micro, the most active Mallox sites this year are in Taiwan, India, Thailand, and South Korea.
Custom Shell: Sophisticated attack
The Linux variation is the first time Mallox has been seen employing a customized shell script to deliver and execute ransomware on virtualized environments, indicating that the activity was likely intended to cause more disruption and, as a result, increase the chances of a ransom payment.
Also, the adversary responsible for wielding the variant is a Mallox affiliate known as "vampire," implying the group's involvement in "broader campaigns involving high ransom demands and expansive IT system targeting," Trend Micro's Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo wrote in the post.
Implications
The usage of a customized shell also suggests that Mallox "has been continuously evolving to employ more sophisticated methods in its future attacks," the researchers wrote.
This freshly discovered Linux variant is consistent with the recent trend of ransomware gangs expanding their attacks to important Linux environments, potentially increasing the number of target victims.
On top of to delivery and execution, the unique shell sends the victim's information to two additional servers, allowing the ransomware perpetrators to have a backup. Mallox is reported to have used a leak site with the same name to reveal data obtained during ransomware assaults.
How does the Mallox variant work?
This current variant first examines a system to verify if the executable is executing with administrative privileges; if not, it will not continue its operation.
Following execution, the variation creates a text file named TargetInfo.txt that contains victim information and sends it to a command-and-control (C2) server, similar to the Windows version of Mallox ransomware.
The IP address used to steal this information and later execute the payload was not previously used by Mallox. According to the researchers, it is hosted by China Mobile Communications, a Chinese ISP, and was most likely hired by the threat actor for a brief period to host its malicious payload.
Data extraction strategies
The program also checks to see if the system name matches "vmkernel," indicating that the machine is running VMware's ESXi hypervisor. If that's the case, it uses its encryption process, attaching the ".locked" extension to encrypted files and dropping a ransom letter called HOW TO DECRYPT.txt. The researchers found that both the extension and the note deviate from the Windows variant.
The custom shell script used to download and execute the payload can also exfiltrate data to another server. When the ransomware completes its routine, it reads the contents of the dropped text file and uploads it to another URL.
The variation also exports victim information to two distinct sites, possibly "to improve redundancy and have a backup in case a server goes offline or is compromised," the researchers stated.
After the ransomware completes its routine, the script deletes the TargetCompany payload, making it even more difficult for security to determine the full impact of the attack, complicating investigation and incident response.
Linux ESXi environment: Careful of Cyberattacks
Mallox's clever expansion of its assault activities into Linux platforms running VMware ESXi necessitates more vigilance on the part of enterprises fitting this description, according to the researchers.
The researchers proposed that enterprises implement multifactor authentication (MFA) to prevent attackers from executing lateral movement within a network.
