Mallox Group Claims Ransomware Attack on FICCI

Second Indian company targeted within a month; scrutinizing the claims

On their Tor-based leak site, Mallox Ransomware Group claimed to have compromised networks of the Federation of Indian Chambers of Commerce & Industry (FICCI) on February 23, 2023.

The group released 1.28 GB of the compressed, compromised dataset on their website. Its presently unknown whether this is the complete dataset exfiltrated by the Mallox group, but considering previously published victim organizations’ data, this could be a sample.

FICCI is one of the premier organizations in India, driving industry policy brainstorming and aiding the Government of India in policy changes and formulation from an Indian Industry and International Business standpoint.

This cyber incident reveals the official representations of various industry envoys in policy formulation and shaping the business environment in India. The ransomware attack on FICCI is crucial from the perspective of the Indian economy’s resilience, despite the global headwinds, due to policy reforms and strong domestic demand.   

Cyble Research & Intelligence Labs (CRIL) investigated the leaked samples to ascertain the validity of the claims of Mallox. We identified that the data trove consisted of the following:

• Financial Balance Sheets for the FY-2018-19 and FY-2019-20 and confidential credit notes from a prominent multinational Investment Bank.
• Employee Reimbursement Details along with FICCI’s Bank account number and employee’s bank account details
• GST Invoices and a Statement of Inward Supplies from 2019 to 2022
• Bank Statements from 2011-12 and internet banking credentials
• Minutes of the Meetings of Joint Committee on International Cooperation & Advocacy- 2013
• Consultants hired by FICCI, their payroll information, and ITR documents
• Vendor Details, including their KYC compliance status
• Documents related to the following FICCI sub-committees and PII of industry stalwarts from 2022:
  • Communications and Infrastructure
  • Asia Cloud Computing Association (ACCA)
  • Artificial Intelligence Conclave
  • Mobile Manufacturing & Communications
  • Cloud Computing Infrastructure
• Details of Member Organizations from 2012 to 2018
• Industry Audit Reports of 2015
• Documents and Inputs from Banks on “Prevention of Money Laundering (Amendment) Bill, 2008”

Overview of Mallox Ransomware

Mallox Ransomware has been known to be active since October 2021 and has modified its tactics and techniques from the initial strain of “TargetCompany” ransomware. The ransomware has increased its distribution manifold since November 2022. The cybersecurity community has been monitoring its ransomware strains as Bozon and Fargo because of the file extensions seen previously.

The group had also been encrypting files with the extension “.mallox” and used the same username in their email addresses as observed in the ransom notes, but recently christened themselves as “Mallox” on their leak site.

A ransomware attack analysis of Mallox, starting in 2023, suggested a widespread geographical distribution of their victims. In January 2023, the group targeted Indian conglomerate Navnit Group and 10 more organizations in France, Portugal, Saudi Arabia, Spain, South Korea, Taiwan, Turkey, and the United Arab Emirates, across several industry groups.

The group in their ransom note gives a ‘PrivateSignin’ “.onion” link to message them. This link prompts for a private key, unique to a particular organization, which on input directs to a Tor webpage revealing the target ID (issued by the group to their victim organizations), ransom amount, and at the end of the page, a section to test the decrypted files.

CRIL observed a private sign-in page for a recently targeted victim, demanding a ransom of USD3000. However, it seems that the affected organization has not paid the ransom yet.  

Mallox ransomware is downloaded through an unknown loader, which usually arrives through spam emails and entices the targeted account to download the attachments. The loader is known to be downloading other malware families such as Agentesla, Remcos, Snake keylogger, etc.

After downloading the loader, the ransomware binary, which is encrypted with the AES encryption algorithm, is executed. This decrypted DLL file is further obfuscated with IntelliLock obfuscator to inhibit malware reversal.

Mallox’s payload analysis suggests that it has the capability to target critical infrastructure organizations. CRIL released a detailed technical analysis of Mallox ransomware group in December 2022.

Our Recommendations 

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Safety Measures Needed to Prevent Ransomware Attacks

• Conduct regular backup practices and keep those backups offline or in a separate network. 
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
• Refrain from opening untrusted links and email attachments without verifying their authenticity. 

Users Should Take the Following Steps After the Ransomware Attack

• Detach infected devices on the same network. 
• Disconnect external storage devices if connected. 
• Inspect system logs for suspicious events. 

Impact And Cruciality of Ransomware 

• Loss of valuable data. 
• Loss of the organization’s reputation and integrity. 
• Loss of the organization’s sensitive business information. 
• Disruption in organization operation. 
• Monetary loss. 

MITRE ATT&CK® Techniques 

Tactic	Technique ID	Technique Name
Execution	T1204	User Execution
Defense Evasion	T1140 T1562	Deobfuscate/Decode Files or Information Impair Defences
Discovery	T1082  T1083	System Information Discovery  File and Directory Discovery
Impact	T1486	Data Encrypted for Impact
Command and Control	T1071	Application Layer Protocol
Exfiltration	T1020	Automated Exfiltration

Indicators of Compromise (IoCs)

Indicators	Indicator Type	Description
476fc5f04f7ca8d407ade22497b8bfd1 9dcd787c7bbd0a679f1e0cae54fddd399177fb64 e5711e041c2dc4e78f1bc5808441863b7a777ecfbdace4943202224c7fec778f	MD5 SHA1 SHA256	Mallox Loader
61e2b1f72fe01847578f2ed8572b23e5 e9594fdb3c64c0a3254f929ba7ad6feea40f40ea eb7480822f32679a558f8ea2b0a09ba7531003ea4c2644d6e7804478add7bddc	MD5 SHA1 SHA256	Mallox Loader
dd55605300ab06aa88681158c3d62c00 84266949120096817fb371cbb11b9f5539804347 df30d74ab6600c1532a14c53a7f08f1afd41ec63cf427a4b91b99c3c2524caba	MD5 SHA1 SHA256	Mallox Loader
e49cb590be669ff1ce1d0b40f17e773f e2ca16433df7b2062f0fe8b5c6bc93c6eb02bcae 7b6d71a2330ee5ab5b64ee9b6d01f0789e0e97696407c12ad7c60c4b6f1e70fa	MD5 SHA1 SHA256	Mallox Loader
70c464221d3e4875317c9edbef04a035 8a1d92c8e5b7a5b3a6a34137c9eee01f89cd5564 6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330	MD5 SHA1 SHA256	Mallox Loader
cf643208768ac6b039b5cd115f3deba4 89fa5de742ced51e3f72fddba7f2def427bae251 3496b6b45631550e0e27bf37da9e170bee3d0423365fb99e3f644a266c126c44	MD5 SHA1 SHA256	Mallox Loader
eed05caef1c5de03a9562c5e0a201db9 d89d4fd7c4e122ad8907a63c81ad29451d2b5aae fdfad320b77c94d91123a7bb8f1efdf9f835b0c1fd093fa8ead23bfbc8ce04e2	MD5 SHA1 SHA256	Mallox Loader
f8c7c54fc25c5bdcf08f778b362fab72 378044cb569c6f40202296b756b49957fb22adb1 a340ef5adb00a2bf1a0735600491ca98ac8045b57db892dedc27575a53b25056	MD5 SHA1 SHA256	Mallox Loader
8c96e1c25129b41f52957c309d270132 87c250d3b4a1f67c78ea086ecf7e8909240a3832 186abb7d786ce7f21e4e23af2581d052b6787b5c99fdea4e740fed221433b277	MD5 SHA1 SHA256	Mallox Loader
4e05b8574d804c37b9c6d946a6149807 b518b544c2935e205e68f8000a6b4ec09ffcb5a1 2249b76a9326209a165cef9d04ad89582811842bcc2b22dd4aca7dd0663f5e52	MD5 SHA1 SHA256	Mallox Loader
7de6274aafaaf278943be3bfa3fdbb05 1162b2db33c1da496ef4f0719d8c962d2efe3a11 c09936f39188511ae2a855ec5dcb74c0970f88249cc4402ce3e2672cff4144b3	MD5 SHA1 SHA256	Mallox Loader
1be9d27aba6bc913c4be6725758cea05 79fff9fe3cc1ff9de06d6881c03effebdeef735d 32e214baf2ebb523692647a0a2cec76d3104a0f56b511c34f01a959bee0e4ce5	MD5 SHA1 SHA256	Mallox Loader
80ad5ed911447f629b040f45b1940f09 2751156114727fef4340d9278844bff12c7843da daf2b66a2a795c09a18efac97a9a2131a6b1fd4e46a1a9df1372089dba2c88f0	MD5 SHA1 SHA256	Mallox Loader
980ea1789565f4a365e180413383e083 980f0eb6db868e2a92fb5973874fc332fa75d7a7 10f96f64659415e46c3f2f823bdb855aab42d0bfced811c9a3b72aea5f22d880	MD5 SHA1 SHA256	Mallox Loader
b91fc668dcef3f793a8e62f39559d34c 5e77421dcde6cb34e06934a852880d019929ad4e 651fa2efb001fc59208ab90bd7a618884d50d6d5873a2a631d05ad84bec9f7e8	MD5 SHA1 SHA256	Mallox Loader
f6315874a5b4c17036793129abbb4e2c aabfd6d98b35de1c762083e2c20422d6f76b656c dfc579efc1a87c44f7f24de68f078d0c7ff4fbd2ebfd4819f8181d3c87c9d557	MD5 SHA1 SHA256	Mallox Loader
880b8bdef9cad4e4ab6e87aeb5c0409b 0a1db2c0c1628f180752168f493220334ae9b1a4 1a1c2a1b5fde3a33d831c47889afe3bb64cf1509082c310c72b9a659f9951d2c	MD5 SHA1 SHA256	Mallox Loader
10b24b5ee73d3baa14948cee6a0f1dc6 180bce263041cbf7f657f8839d4a43108340494c 56af6422d42d3f15ac583496ce44a506115c31226713a11907c044236accf4cb	MD5 SHA1 SHA256	Mallox Loader
1de2c0025a957604d87027718220c4ca 300104eecf1e9a235b0b903897ad9d9dda885275 6b8cb18a9249c74a7a13023959fa2c703caa6a43e2914152e8c18edf429486dd	MD5 SHA1 SHA256	Mallox Loader
3e7b527b02f4c9d8e73b2dedffbe6519 db4d167c06270ed8ca86024efe5646326f4ed049 4ed74a205fad15c843174d7d8b30ae60a181e79f31cc30ebc683072f187e4cdd	MD5 SHA1 SHA256	Mallox Loader
31ffe45624ad0580ad28b0e6730386fb d555607e0109101a6dc439a312886675c28d1f82 6333dc9f7a3de2c6ff7ba23b747687f873a634dfe017fba2cc47a38087bc0c9f	MD5 SHA1 SHA256	Mallox Loader
128a32f8bf4c3cfc9f3ab279b4f9f7ee 4b0daae2c43719757fbca2693e15fe51b5afb47a c9f989c41d951b7cf7de38c98495babf9740151b39e7fdf155b6dbe71f7bcaed	MD5 SHA1 SHA256	Mallox Loader
f35637b4f12791be05b984a309c49903 0cf514a80d4bf94b65ea33693211bfae3db543e5 fbc936ab18ea79daf3f1e3a4b802891dfe4e060589f8f970636f461d29c14d76	MD5 SHA1 SHA256	Mallox Loader
50e42230ad3270f4044afeba46f46f76 25346f0b253967c99570b9d6b85bf349744e6416 e7e00e0f817fcb305f82aec2e60045fcdb1b334b2621c09133b6b81284002009	MD5 SHA1 SHA256	Mallox Loader
c2768224fb049a2c3844733b01d91331 54e4a424470a8268be77c77a5a481c5112561a4b fbf2c439ef9f75ee7adcb9c94cff77b430637c070c2eac6fada4a437e96262e3	MD5 SHA1 SHA256	Mallox Loader
7a090b4e4fcc1a3978c591e27e7ae558 6bc212ea2dc0b42ce2c72af24830ce670ff459f1 27505da467a55676d599fc54e101cecb22b3bd6febfa21ba5dab303122099a7e	MD5 SHA1 SHA256	Mallox Loader
b377ba0326b9a58d90e25b178bd5dc09 0dab99ba31a2f0a78e48f808af224d8d3c1b869c ad6dc3aa9ad06e69164fc5691cc802541225d4d424be2827d23d04021c67207a	MD5 SHA1 SHA256	Mallox Loader
c019203f44559de694d77c3e6423d83b b85a6a9d030f0cc44b883aa88cee00509cc3b2c6 578b2fb9c2bd0e84e8b281f31e822549e6ea506689fd4033e429aa040e2a3d83	MD5 SHA1 SHA256	Mallox Loader
7fd66b28fc1287efb036c1e59f92a139 2105486903909431418789cb1bd932ff247644e9 e742f489d2cd2971358580b2f67b01ac290e9ea0c690608d2cd553c51ed398cc	MD5 SHA1 SHA256	Mallox Loader
fbdb51ec41a66962bbd473e1c77c44cb d3b86f9d094b87fa640a3d51a1baec82a357d038 0b8b27387cfee9c9c46064858bb2beab6553b7505a8fe0c468b08dd217d9c0ca	MD5 SHA1 SHA256	Mallox Loader
120.27.96.112		Attacker IP
81.161.229.143:45156		Attacker IP

Disclaimer

All the findings stated in this document have been verified and reviewed via our Enterprise platform, Cyble Vision and HUMINT. These data points and observations are valid and accurate for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.  

This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report.  

It is an amalgamation of our collective research on this subject and is not directly promoting our brand, platform, or services. This report can be shared freely for academic or knowledge-sharing purposes, provided that Cyble is mentioned as the source of your findings.