An affiliate of the Mallox ransomware operation, also referred to as TargetCompany, was noticed utilizing a barely modified model of the Kryptina ransomware to assault Linux programs.
This model, in accordance with SentinelLabs, is separate from different Linux-targeting variants of Mallox, such because the one described final June by Pattern Micro researchers, highlighting the shifting ways of the ransomware ecosystem.
Additionally, that is one other signal that Mallox, beforehand a Home windows-only malware, is placing Linux and VMWare ESXi programs into its crosshairs, marking a big evolution for the operation.
From Kryptina to Mallox
Kryptina was launched as a low-cost ($500-$800) ransomware-as-a-service (RaaS) platform for focusing on Linux programs in late 2023 however failed to achieve traction within the cybercrime group.
In February 2024, its purported administrator, utilizing the alias “Corlys,” leaked Kryptina’s supply code at no cost on hacking boards, which was presumably acquired by random ransomware actors taken with getting their fingers on a working Linux variant.
Supply: SentinelLabs
After a Mallox affiliate suffered an operational error and uncovered their instruments, SentinelLabs found that Kryptina had been adopted by the undertaking and its supply code was used for constructing rebranded Mallox payloads.
Supply: SentinelLabs
The rebranded encryptor, named “Mallox Linux 1.0,” makes use of Kryptina’s core supply code, the identical AES-256-CBC encryption mechanism and decryption routines, and likewise the identical command-line builder and configuration parameters.
This means that the Mallox affiliate solely modified the looks and title, eliminated references to Kryptina on ransom notes, scripts, and information, and transposed the prevailing documentation right into a “lite” kind, leaving all the remaining unchanged.
Supply: SentinelLabs
Aside from Mallox Linux 1.0, SentinelLabs discovered numerous different instruments on the risk actor’s server, together with:
- A reputable Kaspersky password reset software (KLAPR.BAT)
- An exploit for CVE-2024-21338, a privilege escalation flaw on Home windows 10 and 11
- Privilege escalation PowerShell scripts
- Java-based Mallox payload droppers
- Disk picture information containing Mallox payloads
- Information folders for 14 potential victims
At present, it stays unsure whether or not the Mallox Linux 1.0 variant is being utilized by a single affiliate, a number of associates, or all Mallox ransomware operators alongside the Linux variant mentioned in our earlier report.