Technical Blog: Dissecting Mallox Ransomware Deployment via MS-SQL Exploitation and Cryptomining
Summary
Mallox ransomware operators exploit vulnerabilities in MS-SQL and ODBC interfaces to gain initial access.
The threat actors deploy malicious batch scripts to execute ransomware and XMRig cryptominers.
Advanced fileless execution techniques, such as DLL injection and in-memory payload execution, are used to evade detection.
This blog details the multi-stage infection chain, focusing on the delivery of the PureCrypter loader and the XMRig cryptominer.
Mallox operates as a Ransomware-as-a-Service (RaaS) whereby Affiliates of the RaaS program conduct the attacks and the profits are then shared between the affiliate and the operator.
This blog analyzes files uncovered within the client's environment, providing detailed insights into their behavior and impact.
Infection Chain Overview
Here is a clear breakdown of the Mallox ransomware infection chain:
Initial Access: Exploits vulnerabilities in MS-SQL/ODBC services → Executes PowerShell and batch files.
Payload Delivery: Batch files deploy wireguard2-3.bat.
In-Memory Execution: DLL injection loads payloads directly in memory.
PureCrypter Stage: Disguised as Nligmsnoy.png.bat, decrypts and executes follow-up components.
Defense Evasion: Windows Defender exclusions ensure stealth.
Command and Control: Malware communicates with C2 servers to receive further instructions and download cryptominer components.
Cryptomining Execution: XMRig runs, connecting to mining pools for cryptocurrency generation.
Malicious Batch Files Observed:
These were highly obfuscated files to enable obfuscation.
- amisov.bat
- Nligmsnoy.png.bat
TfTatticasupdatesr.bat
TFTMettasx.bat
wireguard2-5.bat
Wireguard2-6.bat
- good.exe
1. Initial Access
The threat actors exploited vulnerabilities in publicly exposed MS-SQL servers and ODBC interfaces to gain initial access to environments. Once access was obtained, PowerShell scripts and batch files were executed to move further into the attack chain.
Initial stage loader
By the time of this writing, I found the malware impersonating WireGuard VPN as “good.exe” so as to exploit the trust established by legitimate certificate authorities. This also helps evade EDRs and AVs. More info can be seen here - Code Signing Certificates
“good.exe” goes to fetch and execute installutil.exe but at the time of this writing, the artifact didn’t exist in the file directory.
Second stage loader
The wireguard2-5.and wireguard2-6.bat
files function as Trojan loaders, designed to decrypt, load, and execute a second-stage payload directly within system memory.
Third stage (PureCrypter) As a StandAlone
When Nligmsnoy.png.bat is Executed
Initial Execution and Disguise
The file Nligmsnoy.png.bat, disguised as a .png image, is executed.
Despite its misleading name, the file contains embedded batch instructions and malicious payloads designed to perform a sequence of covert operations.
Launching CMD and PowerShell
The batch file spawns cmd.exe to execute encoded commands.
PowerShell, launched from an unusual directory, is dynamically loaded and used to perform Base64-decoded operations.
These commands initiate reflective memory operations, avoiding the creation of detectable files on the disk.
Copying and Renaming Executables
The xcopy.exe utility is used to copy an executable file (payload) into a directory while renaming it with an image-like extension to avoid suspicion.
This copied file is prepared for the next stage of execution.
Dynamic Assembly Loading
PowerShell assemblies are dynamically loaded into memory by the batch script to facilitate in-memory execution.
These assemblies include components needed to decrypt and execute embedded malicious payloads.
PureCrypter Loader Execution
The PureCrypter loader, embedded within the batch file, is loaded in-memory.
PureCrypter decrypts secondary payloads, such as good.exe, zgRAT, or PureMiner, and injects them into legitimate processes like RegAsm.exe.
Process Injection
The payloads are injected into RegAsm.exe, a trusted Microsoft process, using DLL injection techniques.
Memory-based operations like VirtualAllocEx, WriteProcessMemory, and SetThreadContext are performed to manipulate remote processes and execute the malware.
C2 Communication and Mining Operations
The injected RegAsm.exe process connects to Command and Control (C2) servers.
These servers provide commands for payload execution, exfiltration of system data, and downloading additional components like cryptominer plugins.
Evasion and Cleanup
During execution, the batch file and its payloads conduct several checks on system policies, trust settings, and antivirus configurations to ensure successful execution without interference.
All activities are confined to memory, leaving minimal artifacts on disk and complicating forensic investigation.
Role in the Infection Chain
The Nligmsnoy.png.bat file serves as the critical bridge between initial access and the deployment of core ransomware or cryptominer components. By leveraging advanced techniques such as Base64-encoded PowerShell commands, process injection, and memory-only execution, it achieves the following:
Stealthy Deployment: Evades file-system-based detection with memory-only operations and obfuscated payloads.
Evasion and Defense Awareness: Identifies and bypasses trust settings, language preferences, and security policies to ensure smooth execution.
Payload Execution: Prepares the environment for follow-up stages, including cryptomining (PureMiner/XMRig) and remote administration (zgRAT).
Reference Links and Additional Analysis
For a detailed understanding of the Mallox ransomware campaign and associated malware samples, refer to the following resources where I managed to run some sample files.
Sample Analysis - good.exe:
https://app.any.run/tasks/ca3f4767-2242-4ecf-95a3-f09e4f31a9a7
Sample Analysis - Nligmsnoy.png.bat (PureCrypter Loader):
https://app.any.run/tasks/94d10b63-288f-433c-b272-6a0add1f8a05-
Indicators Of Compromise (IOCs)
MD5
76bd9b706d30066a5ca38502e3e390b3
c4eeb88b19358d65c68544db1b5170d4
fef216956e7122a73830bc7c9e843265
IPs Contacted
213.152.162.15
185.174.136.204
89.185.85.102
Other sources include:
If you want to continue with further threat hunting: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=*.mallox