© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Ransom gang stepping up attacks, analyst warns


Mallox, a recent entrant to the ransomware scene, has been increasingly active in the past few weeks and appears to be going after companies that rely on global positioning satellites (GPS) for their business, cyber analyst Cyble is warning.

Mallox was first spotted in June last year but appears to have retained a relatively low-key presence since then. Up until November that is, when observed ransomware samples attributed to the gang jumped to 22 from three the previous month.

And already in the first week of December alone, the group has deployed its strain of ransomware no less than 23 times, suggesting that this relatively new player is planning a festive run that no business wants to be a part of.

“These Mallox ransomware samples are downloaded and loaded by an unknown loader,” said Cyble. “The loader further downloads Mallox ransomware from the remote server and encrypts files in the victim’s machine. Additionally, the ransomware group maintains a leak site with information related to the victims of the ransomware attacks.”

Cyble adds that Mallox appears to be targeting “GPS-related services,” suggesting it might be going after “organizations dealing in operation technology and critical infrastructure.”

What’s in a name?

Mallox was first known as “TargetCompany” because it added the name of the victim organization to files encrypted during ransomware attacks – the technique by which such gangs render company data unusable until the target has paid up.

Cyble also noted that Mallox uses spam emails to socially engineer or con recipients into downloading its malware, which works off “an unknown .NET loader.”

“Our research indicates that the loader is known to be downloading other malware families such as Agentesla, Remcos, and Snake keylogger,” added Cyble. “This loader usually arrives via spam email with different flavors to lure the users into downloading and executing the email attachment.”

After downloading the malicious encrypted content in the Mallox payload, the .NET loader executes it without saving it to disk so as to dodge anti-virus detection software.

Screenshot taken by Cyble of Mallox ransomware in action
Mallox takes its name from the curious moniker it adds to encrypted files during cyberattacks

More from Cybernews:

Android app with over 5m downloads leaked user browsing history

Google told to remove search results about users

TikTok sued in US over China data access

Dyson releasing cyberpunk anti-pollution headphones for $949 a pair

North Korea exploited tragedy in Seoul to spread malware, says Google

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked