The Mallox Ransomware Gang's Attack on Contec Systems

The Mallox ransomware gang has attacked Contec Systems. Contec Systems is an environmental reporting company founded in 1990 and headquartered in Pottstown, Pennsylvania, USA. Mallox posted Contec Systems to its data leak site on July 29th, threatening to publish all stolen data by August 10th if the organization fails to pay the ransom.

Mallox is an emerging RaaS that first emerged in October of 2021 using a ransomware variant dubbed “tohnichi” for its file extension. The group then introduced a variant that appended files with “.mallox” which resulted in most researchers calling the group “Mallox.” Mallox was notable for its swift encryption speed, ability to bypass security tools like Windows Defender, and deletion of Shadow Copies to thwart encryption rollback.

Increasing Attack Volume and Ransom Demands

Mallox attack volume was low but began to accelerate in late 2022 and continues to increase in Q1-2023. There is not much info on how much Mallox demands for ransoms, but they appear to be relatively low compared to leading threat actors (in the thousands of dollars). Still, they are a newer group that has only recently started to recruit affiliates, and they are constantly improving their malware, so we expect ransom demands to increase.

Unique Delivery Methods and Advanced Techniques

Mallox employs a unique delivery method for the ransomware payload that does not require a loader but instead uses a batch script to inject into the “MSBuild.exe” process in memory to evade detection. Mallox has been observed using advanced TTPs like DLL hijacking, which is not common to ransomware attacks. Mallox uses the Chacha20 algorithm for encryption. In 2023, they began using a variant that appends with “.xollam” which leverages malicious OneNote file attachments for infection, where earlier variants targeted vulnerable MS SQL instances.

Recruitment and Targeting Strategy

Mallox only recently appears to be recruiting affiliates for a RaaS platform, so this group is one to watch. Mallox has hit some critical infrastructure IT providers but seems to be opportunistic, hitting targets primarily in the US and India.

It is unclear if Mallox engages in data exfiltration for double extortion, but they likely will follow other attackers in using this tactic as they develop their RaaS platform.