Multiple GitLab Products Vulnerabilities
September 24, 2024Multiple Mozilla Products Vulnerabilities
September 24, 2024Multiple GitLab Products Vulnerabilities
September 24, 2024Multiple Mozilla Products Vulnerabilities
September 24, 2024Severity
High
Analysis Summary
TargetCompany, an affiliate of the Mallox ransomware operation, was observed attacking Linux systems with a slightly altered variant of the Kryptina ransomware.
Researchers say that this version of Mallox is distinct from other versions that target Linux, such as the one that was detailed in June of last year, underscoring the evolving strategies of the ransomware ecosystem. This is also another indication that Mallox, a malware that was previously exclusive to Windows, now targeting Linux and VMware ESXi computers, which is a big change for the operation.
Launched in late 2023 as a ransomware-as-a-service (RaaS) platform for Linux systems at a low cost of $500–$800, Kryptina failed to acquire popularity in the cybercrime world. Its alleged administrator released Kryptina's source code for free on dark web forums in February 2024. This code was likely obtained by hapless ransomware actors hoping to obtain a functional Linux version. Cybersecurity researchers learned that Kryptina had been taken up by the project and that its source code was being used to create rebranded Mallox payloads when a Mallox affiliate experienced an operational problem and disclosed their tools.
The rebranded encryptor, called "Mallox Linux 1.0," utilizes the same AES-256-CBC encryption algorithm and decryption algorithms as Kryptina, along with the same configuration settings and command-line interface. This suggests that the Mallox affiliate changed just the name and look, eliminated any mention of Kryptina from files, scripts, and ransom notes, and converted the current documentation into a "lite" format—everything else remained unaltered.
Researchers discovered several additional tools on the threat actor's server in addition to Mallox Linux 1.0, such as:
- A genuine utility for resetting Kaspersky passwords (KLAPR.BAT)
- An exploit for Windows 10 and 11's CVE-2024-21338, a privilege escalation vulnerability
- Elevated privileges PowerShell scripts
- Java-oriented payload droppers for Mallox
- Mallox payload containing disk image files
- Data files about 14 possible victims
As of right now, it's unclear if the Linux variant covered in our earlier research is being employed in conjunction with the Mallox Linux 1.0 variant by one affiliate, several affiliates, or all Mallox ransomware operators.
Impact
- Privilege Escalation
- Financial Loss
- Sensitive Data Theft
Indicators of Compromise
Domain Name
- grovik71.theweb.place
IP
- 185.73.125.6
MD5
- 71efe7a21da183c407682261612afc0f
- 120c6ddfc24274b6e2e3a1ba7dc519ab
- d201bd19e60d500963aff0c235b07727
- 4532803225b8b1a8a7811a44f3f2e2e6
- 779aa15cd6a8d416e7f722331d87f47b
- 231478ff24055d5cdb5fbec36060c8ff
- b5b20e03ae941e9f21c444bd50225c41
- 66bb9363e23c7ef2d16c89cd654b491e
- fabcc64299ec88bcf2815b6c328bdf5e
- 1b4bbc6a2cfe628395c5d670d5ef470d
- 846bb4f2cdbf9ed624ba2647c6b04101
SHA-256
- 45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
- 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8
- d6629a9b618ede05e9e75a2cebfb69bc7b1a34fe00a42ff60d88828a307c0d08
- e0b6c83aa3aeff6d7d5fb4b5863cc94ca6158e12fd049d6863322bafb244a41d
- 23ba8078df63ebb313f2f2a2f24dab840e068ddd5cc54bb661db7d010954d2fc
- 9f4c40c0d52291334d90455a64106f920ede3bda5c3f7d00b0933032b0f208d8
- c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6
- 61f36c5ae038faa2b58a9a17b464d01414b4265e46634f353319c471d0a35789
- f67f3acfbf23d37c7c81d890a2b56d38d468d3fde37b3934d77a1cb3f5ac342b
- 0f8de2a116f590ace3a818302d2531af9f3c972816638c92773048c640807acc
- e9b9f425fa818899070f69d09d3a35d7ccc88de6ac98b2c8b02116f1b314bc78
SHA-1
- 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
- 29936b1aa952a89905bf0f7b7053515fd72d8c5c
- 341552a8650d2bdad5f3ec12e333e3153172ee66
- 5cf67c0a1fa06101232437bee5111fefcd8e2df4
- 9050419cbecc88be7a06ea823e270db16f47c1ea
- a1a8922702ffa8c74aba9782cca90c939dfb15bf
- b27d291596cc890d283e0d3a3e08907c47e3d1cc
- c20e8d536804cf97584eec93d9a89c09541155bc
- ee3cd3a749f5146cf6d4b36ee87913c51b9bfe93
- ef2565c789316612d8103056cec25f77674d78d1
- f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement robust multi-layered security measures to detect and respond to ransomware and cyber espionage activities.
- Conduct regular security assessments and penetration testing to identify and mitigate vulnerabilities in critical infrastructure and government systems.
- Deploy advanced threat detection tools, such as Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA), to monitor for suspicious activities and anomalies.
- Ensure timely patching and updating of all software and systems to close known security gaps.
- Use multi-factor authentication (MFA) and strong password policies to protect user accounts from unauthorized access.
- Segment networks to limit lateral movement within the organization in case of a breach.
- Develop and maintain an incident response plan that includes procedures for ransomware attacks and data breaches.
- Train employees on cybersecurity best practices and phishing awareness to reduce the risk of social engineering attacks.
- Regularly back up critical data and ensure backups are stored securely and are not accessible from the primary network.
- Collaborate with cybersecurity firms and government agencies for threat intelligence sharing and coordinated defense strategies.
- Implement encryption for sensitive data at rest and in transit to protect against data theft.
- Limit access to critical systems and data to only those individuals who require it for their role.
- Monitor for and immediately investigate the presence of known malware and indicators of compromise associated with state-sponsored groups.
- Engage in regular cybersecurity drills and exercises to ensure readiness for potential cyber incidents.
- Ensure legal and compliance measures are in place, particularly for industries subject to specific regulatory requirements.