Evasive BatLoader Executes Ransomware Payloads on the Fly
The ransomware known as “TargetCompany,” which first appeared in June 2021, gained significant attention due to its unique method of appending the name of the targeted company as a file extension to encrypted files. This ransomware variant was also observed appending a “.mallox” extension to encrypted files, leading to its previous identification as “Mallox”. Last year, Cyble Research and Intelligence Labs (CRIL) also reported a significant rise in the Mallox ransomware samples.
We have encountered a new variation of the Mallox ransomware that now appends the file extension “.malox” to the encrypted files, whereas previously, it used the “.mallox” extension. This ransomware binary is deployed using BatLoader, which is similar to the one reported – spreading RATs and Stealers.
The figure below shows infection new infection chain of Mallox ransomware.
In contrast to the previous infection method, this one eliminates the need for a downloader to retrieve the ransomware payload from a remote server. Instead, the ransomware payload is contained within a batch script, which is then injected into “MSBuild.exe”, without saving it on the disk.
The figure below shows the process tree.
To date, Mallox ransomware has publicly disclosed details of over 20 victims from over 15 countries, with India being the most targeted nation, followed by the United States.
The figure below shows the geographic distribution of victims.
The majority of victims affected by Mallox ransomware belong to the Manufacturing, Energy & Utilities sectors, IT & ITES, and Professional Services Industries.
The figure below shows the industry-wise distribution of Mallox ransomware victims.
Technical Analysis
The initial infection occurs once the user clicks on the attachment included in the spam email. The attachment can either be an executable file that downloads BatLoader from a remote server, or it may directly contain the BatLoader within the spam attachment.
The figure below shows the batch script (SHA256: 5158b0a023299c1922423a065b9825fd1769f1a87ffd2031375a0e893d523318) responsible for ransomware infection.
The batch script utilized in this case is obfuscated, employing various variables that are defined in a random sequence. These variables are subsequently combined through concatenation to execute commands.
The example displayed in the figure below illustrates one instance of such variable concatenation within the script.
It executes the following commands:
- “if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start “” /C /min “C:\Users\User_Name\Desktop\ransomware.bat” && exit”
This command checks if the environment variable IS_MINIMIZED is defined. If it is not defined, it sets IS_MINIMIZED to 1, starts the same batch script in a minimized window, and then exits the previous instance of the current script.
- copy /y “C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe” “C:\Users\User_Name \Desktop\ransomware.bat.exe”
This command will copy the PowerShell executable (powershell.exe) to a file named “batch script name” + “.exe” within the directory where the batch script is being executed.
- attrib +s +h
This command sets the system and hidden attribute to the newly copied PowerShell file.
The figure below shows the “PowerShell.exe” copied as “ransomware.bat.exe”.
- “C:\Users\User_Name\Desktop\ransomware.bat.exe” -wIn 1 -enC <base64_encoded content>
The mentioned command is utilized to execute Base64 encoded content provided as a parameter. This encoded content is a PowerShell script responsible for extracting the ransomware payload from the BatLoader. The script achieves this extraction by scanning the initial BatLoader and identifying lines with the substring “ck”. When a line with “ck” is found, the script appends the substring following “ck” to an object using the Append method.
This PowerShell script also drops a batch script named “killerrr.bat” in the %TEMP% directory, which can perform the following operations:
- Kill over 600 processes using the taskkill /IM command.
- Stops over 200 services using the net stop command.
- Disables over 13 services using the sc config Service_Name start= disabled command.
- Deletes over 200 services using the sc delete command.
- Removes 2 directories “C:\Program Files (x86)\Kingdee\K3ERP\K3Express\KDHRAPP\client\log” and “C:\Program Files\Kingdee\K3ERP\K3Express\Logs”
Injection
The PowerShell script involves dynamically loading Malllox assembly. It achieves this injection method using the following steps:
- Uses System.Reflection.Assembly]::Load() to load the assembly from a byte array.
- It retrieves the entry point of the loaded assembly using the EntryPoint property.
- An instance of the loaded assembly is created using the CreateInstance method, providing the name of the entry point method.
The ransomware binary is injected into the MSBuild.exe, as shown in the figure below.
Impact
Unlike other Mallox ransomware variants, this ransomware binary appends the encrypted files with the “.malox” extension.
The figure below shows the encrypted files.
The figure below shows the ransom note.
Conclusion
The Mallox ransomware group has incorporated BatLoader into their operations, utilizing it to extract and inject the ransomware payload. This loader bears similarities to the one previously identified in the distribution of various malware families, such as Quasar RAT, Async RAT, Redline Stealer, and DC RAT.
The adoption of new infection techniques suggests that the TAs responsible for Mallox ransomware are actively modifying their tactics, techniques, and procedures (TTPs), underscoring their efforts to enhance evasiveness and maintain their malicious activities.
Our RecommendationsÂ
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Cruciality of Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Monetary loss.
MITRE ATT&CK® TechniquesÂ
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Defense Evasion | T1140 T1562 T1222 T1564 T1036 T1070 | Deobfuscate/Decode Files or Information Impair Defences File and Directory Permissions Modification Hidden Files and Directories Masquerading File Deletion |
| Discovery | T1082 T1083 | System Information Discovery File and Directory Discovery |
| Impact | T1486 | Data Encrypted for Impact |
| Command and Control | T1071 | Application Layer Protocol |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| dcf060e00547cfe641eff3f836ec08c8 8054569d8b449e4cd0211cb2499c19f42557fb21 2565158b0a023299c1922423a065b9825fd1769f1a87ffd2031375a0e893d523318 | MD5 SHA1 SHA256 | BatLoader |
| 9a239885dc7044a9289610d58585167b 28b8b4c9fe29ba0e815e525d2529b92217877e85 0de0da8037176c3c9cb403e2865a7699e53ff5a013070132ba512b9dab7a0126 | MD5 SHA1 SHA256 | Killerrr.bat |
| hxxps[:]//whyers.io/QWEwqdsvsf/ap.php hxxp[:]//whyers.io/QWEwqdsvsf/ap.php | URL | Malicious URL |
| hxxp://80.66.75.116/Tst.bat | URL | Malicious URL |
