VMware ESXi Systems with Admin Rights Targeted by New Mallox Ransomware Variant

Novel Attack Vector Uses Custom Shell for Payload Delivery and Execution

A fresh variant of the Mallox ransomware has emerged, specifically targeting VMware ESXi environments with administrative privileges. This advanced attack method, discovered by researchers at Trend Micro, demonstrates the evolving sophistication of ransomware tactics.

Mallox Ransomware: An Overview

Mallox, also known as Fargo and Tohnichi, first emerged in June 2021. Since then, it has claimed to have compromised hundreds of organizations across various sectors, including manufacturing, retail, wholesale, legal, and professional services. In 2024, Mallox has shown significant activity in Taiwan, India, Thailand, and South Korea.

Advanced Techniques in the Latest Variant

The new Linux variant of Mallox employs a custom shell script to deliver and execute ransomware, marking the first time the group has used this method in virtualized environments. This technique is likely aimed at maximizing disruption and increasing the chances of ransom payment. The affiliate responsible for this variant, known as "vampire," is involved in broader campaigns demanding high ransoms and targeting extensive IT systems.

How the Attack Works

The variant first checks if the targeted system has administrative rights and is running in a VMware ESXi environment. If these conditions are not met, the attack does not proceed. Once administrative access is confirmed, the malware drops a text file named TargetInfo.txt, containing victim information sent to a command-and-control (C2) server. This behavior is similar to the tactics used by the Windows version of Mallox ransomware.

The variant uses a new IP address for exfiltration, hosted by China Mobile Communications. This IP address facilitates the execution of the malicious payload. The malware then checks if the machine is running in a VMware ESXi environment by identifying the system name "vmkernel." The malware verifies whether the machine operates in a VMware ESXi environment by checking for the system name "vmkernel." If it finds a match, it initiates its encryption process, adding the ".locked" extension to encrypted files and creating a ransom note titled HOW TO DECRYPT.txt.

Exfiltration and Redundancy Measures

The custom shell script performs dual functions: it downloads and executes the payload while also exfiltrating data to various servers. After reading the contents of the dropped text file, it uploads the data to another URL once the ransomware routine is finished. This dual exfiltration approach ensures redundancy, providing a backup if a server goes offline or is compromised. After the ransomware completes its routine, the script deletes the TargetCompany payload, complicating defenders' efforts to assess the attack's impact and respond effectively.

Mitigation Strategies for Organizations

Given the sophisticated nature of Mallox's new attack vector, organizations running Linux environments with VMware ESXi need to enhance their cybersecurity measures. Trend Micro researchers recommend several best practices:

Enable multifactor authentication (MFA): Prevent attackers from moving laterally within the network. Implement the "3-2-1 rule" for backups: Keep three backup copies in two different formats, with one copy stored offsite. Regular patching and updating: Ensure systems are updated to prevent exploitation of software vulnerabilities.

Conclusion

The advanced tactics employed by the Mallox ransomware highlight the critical need for organizations to maintain vigilant security practices. Implementing robust measures can help mitigate the risk of falling victim to ransomware attacks and protect the integrity of an organization's data assets. Staying proactive in stolen credentials detection, digital footprint analysis, and brand protection is essential to defend against evolving cyber threats.

By leveraging darknet monitoring services and digital threat scoring, organizations can enhance their defenses and respond more effectively to potential breaches, ensuring comprehensive protection in an increasingly hostile digital landscape.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.