Technical Blog: Dissecting Mallox Ransomware Deployment via MS-SQL Exploitation and Cryptomining

Summary

• Mallox ransomware operators exploit vulnerabilities in MS-SQL and ODBC interfaces to gain initial access.

• The threat actors deploy malicious batch scripts to execute ransomware and XMRig cryptominers.

• Advanced fileless execution techniques, such as DLL injection and in-memory payload execution, are used to evade detection.

• This blog details the multi-stage infection chain, focusing on the delivery of the PureCrypter loader and the XMRig cryptominer.

  Mallox operates as a Ransomware-as-a-Service (RaaS) whereby Affiliates of the RaaS program conduct the attacks and the profits are then shared between the affiliate and the operator.

• This blog analyzes files uncovered within the client's environment, providing detailed insights into their behavior and impact.

• Infection Chain Overview

  Here is a clear breakdown of the Mallox ransomware infection chain:

  • Initial Access: Exploits vulnerabilities in MS-SQL/ODBC services → Executes PowerShell and batch files.

  • Payload Delivery: Batch files deploy wireguard2-3.bat.

  • In-Memory Execution: DLL injection loads payloads directly in memory.

  • PureCrypter Stage: Disguised as Nligmsnoy.png.bat, decrypts and executes follow-up components.

  • Defense Evasion: Windows Defender exclusions ensure stealth.

  • Command and Control: Malware communicates with C2 servers to receive further instructions and download cryptominer components.

  • Cryptomining Execution: XMRig runs, connecting to mining pools for cryptocurrency generation.

Malicious Batch Files Observed:

These were highly obfuscated files to enable obfuscation.

• amisov.bat

• Nligmsnoy.png.bat

• TfTatticasupdatesr.bat

• TFTMettasx.bat

• wireguard2-5.bat

• Wireguard2-6.bat

• good.exe

1. Initial Access

The threat actors exploited vulnerabilities in publicly exposed MS-SQL servers and ODBC interfaces to gain initial access to environments. Once access was obtained, PowerShell scripts and batch files were executed to move further into the attack chain.

Initial stage loader

By the time of this writing, I found the malware impersonating WireGuard VPN as “good.exe” so as to exploit the trust established by legitimate certificate authorities. This also helps evade EDRs and AVs. More info can be seen here - Code Signing Certificates

“good.exe” goes to fetch and execute installutil.exe but at the time of this writing, the artifact didn’t exist in the file directory.

Second stage loader

The wireguard2-5.and wireguard2-6.bat files function as Trojan loaders, designed to decrypt, load, and execute a second-stage payload directly within system memory.

Third stage (PureCrypter) As a StandAlone

When Nligmsnoy.png.bat is Executed

1. Initial Execution and Disguise

   • The file Nligmsnoy.png.bat, disguised as a .png image, is executed.

   • Despite its misleading name, the file contains embedded batch instructions and malicious payloads designed to perform a sequence of covert operations.

2. Launching CMD and PowerShell

   • The batch file spawns cmd.exe to execute encoded commands.

   • PowerShell, launched from an unusual directory, is dynamically loaded and used to perform Base64-decoded operations.

   • These commands initiate reflective memory operations, avoiding the creation of detectable files on the disk.

3. Copying and Renaming Executables

   • The xcopy.exe utility is used to copy an executable file (payload) into a directory while renaming it with an image-like extension to avoid suspicion.

   • This copied file is prepared for the next stage of execution.

4. Dynamic Assembly Loading

   • PowerShell assemblies are dynamically loaded into memory by the batch script to facilitate in-memory execution.

   • These assemblies include components needed to decrypt and execute embedded malicious payloads.

5. PureCrypter Loader Execution

   • The PureCrypter loader, embedded within the batch file, is loaded in-memory.

   • PureCrypter decrypts secondary payloads, such as good.exe, zgRAT, or PureMiner, and injects them into legitimate processes like RegAsm.exe.

6. Process Injection

   • The payloads are injected into RegAsm.exe, a trusted Microsoft process, using DLL injection techniques.

   • Memory-based operations like VirtualAllocEx, WriteProcessMemory, and SetThreadContext are performed to manipulate remote processes and execute the malware.

7. C2 Communication and Mining Operations

   • The injected RegAsm.exe process connects to Command and Control (C2) servers.

   • These servers provide commands for payload execution, exfiltration of system data, and downloading additional components like cryptominer plugins.

8. Evasion and Cleanup

   • During execution, the batch file and its payloads conduct several checks on system policies, trust settings, and antivirus configurations to ensure successful execution without interference.

   • All activities are confined to memory, leaving minimal artifacts on disk and complicating forensic investigation.

Role in the Infection Chain

The Nligmsnoy.png.bat file serves as the critical bridge between initial access and the deployment of core ransomware or cryptominer components. By leveraging advanced techniques such as Base64-encoded PowerShell commands, process injection, and memory-only execution, it achieves the following:

1. Stealthy Deployment: Evades file-system-based detection with memory-only operations and obfuscated payloads.

2. Evasion and Defense Awareness: Identifies and bypasses trust settings, language preferences, and security policies to ensure smooth execution.

Payload Execution: Prepares the environment for follow-up stages, including cryptomining (PureMiner/XMRig) and remote administration (zgRAT).

Reference Links and Additional Analysis

For a detailed understanding of the Mallox ransomware campaign and associated malware samples, refer to the following resources where I managed to run some sample files.

Sample Analysis - good.exe:

https://app.any.run/tasks/ca3f4767-2242-4ecf-95a3-f09e4f31a9a7

Sample Analysis - Nligmsnoy.png.bat (PureCrypter Loader):

https://app.any.run/tasks/94d10b63-288f-433c-b272-6a0add1f8a05-

Indicators Of Compromise (IOCs)

MD5

• 76bd9b706d30066a5ca38502e3e390b3

• c4eeb88b19358d65c68544db1b5170d4

• fef216956e7122a73830bc7c9e843265

IPs Contacted

• 213.152.162.15

• 185.174.136.204

• 89.185.85.102

Other sources include:

• https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-variant-based-on-leaked-kryptina-code/

• https://securelist.com/mallox-ransomware/113529/

• If you want to continue with further threat hunting: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=*.mallox

• https://urlhaus.abuse.ch/browse.php?search=good.exe