{ "name": "Mallox ransomware: in-depth analysis and evolution", "slug": "mallox-ransomware-in-depth-analysis-and-evolution", "description": "Mallox is a sophisticated ransomware family that emerged in 2021 and has since evolved into a Ransomware-as-a-Service (RaaS) operation. Initially targeting specific companies, it transitioned to a more generic approach, likely as part of its RaaS model. The malware employs complex encryption schemes, including elliptic-curve cryptography and ChaCha20, which have been modified over time to address vulnerabilities. Mallox targets various countries, with Brazil, Vietnam, and China being the most affected. The RaaS operates on a profit-sharing model, offering up to 80% to affiliates with access to large networks. The group actively maintains a data leak site and negotiation portal on the dark web, and uses social media to publicize their activities and attract new affiliates.", "published": "2024-09-04T14:31:32+00:00", "created_at": "2024-09-04T14:31:32+00:00", "modified_at": "2024-09-04T16:49:33+00:00", "created_at_opencti": "2024-09-04T14:31:32+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-09-04", "mallox", "raas", "ransomware", "remcos rat" ], "related_entities": { "observables": [ { "id": "", "name": "91.215.85.142" }, { "id": "", "name": "df64e87ecb30f4cadf54f2c1b3d3cba8cc2d315db0fd4af2d11add57baa56f6a" }, { "id": "", "name": "db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe" }, { "id": "", "name": "c4ff97dfb8e0523cc97b6e2987f71e678f1aea05f65ec934e292bb7f0ecc985e" }, { "id": "", "name": "e92f5d73a8cb1aa132602d3f35f2c2005deba64df99dcfff4e2219819ab3fffd" }, { "id": "", "name": "0427a9f68d2385f7d5ba9e9c8e5c7f1b6e829868ef0a8bc89b2f6dae2f2020c4" }, { "id": "", "name": "f7e8a0eac54dd040e2609546fca263f2c2753802ff57e7c62d5e9ccfa04bdb1a" } ], "malware": [ { "id": "legacy:malware:be12e6fe16bcaff2", "name": "Remcos RAT", "slug": "remcos-rat" }, { "id": "legacy:malware:c9649853163819ce", "name": "Mallox", "slug": "mallox" } ], "intrusion_sets": [ { "id": "b20efa8e-1026-48d5-b12a-11c5581a503b", "name": "Mallox", "slug": "mallox" } ], "attack_patterns": [ { "id": "4bbdf41c-817c-448a-9513-aaea6bfbe8b4", "name": "T1568" }, { "id": "14e5fcd9-c0ff-44f0-8430-d8942ebb832e", "name": "T1567.002" }, { "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f", "name": "T1490" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "3eb6d0bc-8d5f-4192-a97e-0a7bbbb5d0a3", "name": "T1491" }, { "id": "d9f271ed-7685-4362-b90d-f16a14102f39", "name": "T1489" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" } ], "others": [ { "id": "", "name": "Australia" }, { "id": "", "name": "China" }, { "id": "", "name": "Canada" }, { "id": "", "name": "Germany" }, { "id": "", "name": "Brazil" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Healthcare" }, { "id": "", "name": "Energy" }, { "id": "", "name": "Finance" }, { "id": "", "name": "Telecommunications" }, { "id": "", "name": "Manufacturing" } ] }, "external_refs": [ "https://securelist.com/mallox-ransomware/113529/", "https://otx.alienvault.com/pulse/66d88b643a1ecca7f92e69af" ] }