This Windows malware is now evolving to target Linux systems

The analysis of the tool led the researchers to conclude that Mallox Linux 1.0 is actually a rebrand of the Kryptina encryptor. Kryptina was built last year by a threat actor alias “Corlys”, who tried to rent the tool for roughly $800. However, since the cybercriminal community did not show much interest in the tool, Corlys shared it for free, in hopes that someone might pick it up.

TargetCompany

Now, it seems Mallox did, since the new variant uses Kryptina’s source code, the same encryption mechanism (AES-256-CBC), and the same decryption routines. Furthermore, it uses the same command-line builder and configuration parameters, too. Therefore, Mallox devs only changed the name and appearance of the encryptor, and removed any mention of Kryptina from the documents. Everything else is left unchanged.

For now, there is no word on potential victims, but in their analysis, researchers from Kaspersky said Mallox affiliates “do not restrict their activities to a specific country”. Instead, they attack vulnerable companies wherever they are. However, the majority of the firms struck by a variant of Mallox are located in either Brazil, Vietnam, or China.

The ransomware is also known as Fargo, or TargetCompany, and has been active in one form or another since June 2021. At first, it was targeting mostly unsecured MS-SQL servers, Sekoia found. Another Mallox hallmark is to threaten the victims, especially those in the European Union, about potential GDPR violations.

Between October 2022 and March 2023, its affiliates stole data from at least 20 organizations.

Via BleepingComputer

More from TechRadar Pro

• Visa warns dangerous new malware is attacking financial firms
• Here's a list of the best firewall software around today
• These are the best endpoint security tools right now