www.sentinelone.com Open in urlscan Pro
104.26.3.18 Public Scan

Back to summary

URL:
https://www.sentinelone.com/labs/kryptina-raas-from-unsellable-cast-off-to-enterprise-ransomware/
Submission: On December 20 via manual (December 20th 2024, 9:51:13 pm UTC) from US — Scanned from DE

Form analysis
6 forms found in the DOM

GET https://www.sentinelone.com

<form autocomplete="off" method="get" action="https://www.sentinelone.com">
  <fieldset>
    <input type="search" name="s" placeholder="Search ..." value="">
    <button class="search" type="submit">
      <img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>"
        data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" style="" width="24" height="24">
      <img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>"
        data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" style="" width="18" height="16">
    </button>
  </fieldset>
</form>

GET https://www.sentinelone.com/

<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
  <label>
    <span class="screen-reader-text">Search ...</span>
    <input type="search" class="search-field" placeholder="Search ..." value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

<form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="https://www.sentinelone.com/legal/privacy-notice/">Privacy Notice</a>. SentinelOne will not sell, trade, lease, or rent
    your personal data to third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and
    <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId"
    class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
  <div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-notice/">Privacy Notice</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
    third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
  <input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

Text Content

*
*

ABOUT
CVE DATABASE
CONTACT
VISIT SENTINELONE.COM

Crimeware

KRYPTINA RAAS | FROM UNSELLABLE CAST-OFF TO ENTERPRISE RANSOMWARE

Jim Walter / September 23, 2024

EXECUTIVE SUMMARY

* Kryptina evolved from a free tool on public forums to being actively used in
enterprise attacks, particularly under the Mallox ransomware family.
* In May 2024, a Mallox affiliate leaked staging server data, revealing that
their Linux ransomware was based on a modified version of Kryptina.
* The affiliate made superficial changes to source code and documentation,
stripping Kryptina branding but retaining core functionality.
* The adoption of Kryptina by Mallox affiliates exemplifies the commoditization
of ransomware tools, complicating malware tracking as affiliates blend
different codebases into new variants.
* This original research was presented by the author at LABScon 2024 in
Scottsdale, Arizona.

BACKGROUND

In February of 2024, SentinelOne posted a write-up on Kryptina
Ransomware-as-a-Service, a free and open-source RaaS platform written for Linux.
At the time, Kryptina provided all the components required to host a fully
functional RaaS platform. This included the ability to automate payloads, manage
multiple groups and campaigns nested within, as well as configure the ransom
payment requirements such as the amount and type of payment. Despite such
functionality, the offering struggled to attract much interest from dark market
customers.

In May 2024, an affiliate of the Mallox RaaS exposed one of their staging
servers. As a result of this leak, we identified Kryptina RaaS to be the
platform on which the affiliate’s Linux variants were based. The affiliate
threat actor referred to this Linux variant as “Mallox v1.0”. This ‘evolution’
of Kryptina is notable in a rags-to-riches sort of way. In the span of a few
months, the tool went from an unsellable give-away in public forums to being
observed in active SMB/Enterprise attacks.

In this research, we explore the data exposed in the open directory leak,
detailing differences between the original Kryptina RaaS (v2.2) and the modified
version branded under the Mallox moniker.

BRIEF HISTORY OF KRYPTINA & MALLOX

Mallox (aka TargetCompany) ransomware is a longstanding, Enterprise-focused,
RaaS. The family emerged in 2021 and is sometimes referred to as FARGO, XOLLAM,
or BOZON, due to the extension appended to encrypted files in some variants.
Mallox operators are known to opportunistically target ‘timely’ vulnerabilities
(e.g., MSSQL Server). Individual affiliate behavior will vary, though this style
of exploitation, along with brute force attacks to establish initial access, is
common across Mallox campaigns.

Kryptina was first offered for sale by the “Corlys” identity in December 2023.
The price for the full suite, at the time, was $500.00, and later raised to
$800.00. In February 2024, “Corlys” put a halt to the active sales of Kryptina,
and subsequently posted the full source code to BreachForums.

In May, 2024, an open directory which contained staged payloads along with
Mallox builder tools and source was discovered. This staging server was erected
by a Mallox affiliate and hosts a number of attacker-related tools.

First discovery of an open directory on Mallox affiliate server

The staging server, hosted on 185[.]73.125[.]6, contained numerous archives and
payloads specific to the Windows version of Mallox.

Mallox staging server with web application and source

However, the affiliate’s server also contained all the (modified) source files
for Kryptina, including the accessible web server and interface for building
Mallox Linux (Kryptina) payloads, and managing separate infection campaigns.

Kryptina source files in Mallox leak Kryptina database in Mallox leak

The use of Kryptina by this affiliate appears to be singular: other Linux
variants of Mallox are not based on Kryptina, further complicating the the
relationship between Kryptina and Mallox.

CUSTOMIZING KRYPTINA

Encryption and decryption routines in “Mallox Linux 1.0” are identical to
original Kryptina. To recap from our previous write-up:

“Individual file encryption is achieved through use of AES256 in CBC mode. The
keys and configuration data are obfuscated via XOR and then base64 encoded (the
XOR key depends on the value set in the builder or scripts). The function
krptna_process_file() function is responsible for the file encryption. This
function is a typical implementation of file encryption/decryption using the
AES-256-CBC algorithm in OpenSSL.

This function initializes an OpenSSL cipher context EVP_CIPHER_CTX_new(). This
is passed to the appropriate function, depending on what mode was chosen in the
builder configuration (demo mode, etc). File input and output streams are
processed via EVP_CipherUpdate(), which transforms unencrypted file data to the
encrypted data in the output buffer. This is then written to the final output
file (as the modified/encrypted file). EVP_CipherFinal finalizes the processes
handling any padding (integral to CBC mode).

All the legacy Kryptina code is included in the /src folder of the affiliates
server, with the files themselves even retaining the Kryptina naming conventions
and references to known functions (e.g., krptna_process_file()).”

Kryptina-specific functions in Mallox Linux 1.0

With the exception of the aforementioned Kryptina database, the Kryptina
branding has been stripped from most of the source and support files for “Mallox
Linux 1.0”.

Mallox Linux 1.0 documentation

Documentation for the Kryptina-derived Mallox variations is included, though it
is a distilled version of the original Kryptina documentation. The original
Kryptia PDF (SHA1: d46fbc4a57dce813574ee312001eaad0aa4e52de) has been slimmed
down and included as docs.md. Included sections have been translated to Russian
from the original English version.

Original Kryptina RaaS documentation Modified Mallox Linux 1.0 documentation

The updated Mallox Linux 1.0 documentation contains sections covering basic
features, environmental setup (dependencies and version affinities), along with
setup and configuration of phpMyAdmin and the backend DB (MySQL).

Mallox Linux 1.0 dependencies Mallox Linux 1.0 DB (MySQL) configuration

The affiliate made a few changes to the Kryptina source files and scripts in
order to remove references to Kryptina and associate the comments and naming
conventions to those of Mallox.

Ransom note templates are structured similarly to the original Kryptina version.
The \note folder on the affiliate server contains the template source, which can
be customized directly or via the Kryptina web UI. The template for the ransom
note was updated to remove the Kryptina 2.x references, replacing them with
Mallox v1.0.

Kryptina original ransom note template Mallox 1.0 ransom note template

The main source files for “Mallox 1.0” were held in the /src folder of the
affiliate server. The original names of the encryptor and decryptor source files
(kryptina.c and kryptina.h) retain the Kryptina-centric names. The only
operational change to the Kryptina encryptor code is the updating of printed
output in Debug mode (updated to Mallox). Aside from changing comments in the
file to reference Mallox, and removing references to the Kryptina author
(“Corlys”), the source is unchanged.

Mallox 1.0 src, with KRPTNA_DEBUG printf ->Mallox Original Kryptina 2.2
kryptina.c source file Mallox 1.0 kryptina.c source file

Kryptina’s original scripting_demo.py file provided threat actors with a way to
build Linux payloads via the command line. All the requisite fields are provided
in the template. This allows for quick and automated builds. While these
scripted builds are not reflected in the web UI, it can be a valuable tool to a
threat actor wanting to streamline the automation of new builds over time. The
scripting_demo.py file has been minimally updated, again to reflect Mallox
branding over Kryptina. References to “Corlys” have been removed as well.

Original Kryptina scripting_demo.py source file Mallox 1.0 scripting_demo.py
source file

COMPARING KRYPTINA AND MALLOX MAKEFILES

The makefile is used when building encryptor and decryptor payloads. This can be
called directly via script, or via the web UI while building payloads within
campaigns.

Kryptina (and subsequently Mallox 1.0) supports multiple modes within the
compiled payloads. These are:

* demo – builds a demo version of Kryptina, no encryption
* debug – provides customized debug output
* symbols – provides debug build with debug symbols (-ggdb3)
* arch32 – output 32-bit payload

Additional parameter values are provided for other conditions present in the
builder. This includes the ability to customize the XOR key use for encoding the
encrypted configuration data within payloads (xor), thread count to use during
the encryption process (jobs), toggling of the self deletion feature (persist),
and filesize constraints (maxsize) to enforce during encryption (e.g., maximum
size of file to attempt to decrypt). Secure deletion (wiper’esque capability)
can be toggled via the secdel parameter.

Example makefiles from the original Kryptina package and the Mallox-modified
package appear as follows:

Kryptina makefile Mallox Linux 1.0 makefile

VICTIM SUBFOLDERS

The May 2024 affiliate leak also contained target-specific output folders for 14
targets (potential victims). Some of this information was previously detailed
here.

In the \output folder, subfolders exist for each target (unique ‘Target Name’
value).

Output folder on affiliate staging server

Some of these folders contain config.json files (builder configuration)
alongside the matching encryptor/decryptor binary pairs. There are empty folders
as well, meaning those targets were defined, but payloads have yet to be built.

Affiliate output directory with payloads and configs

Each of the config files contains values for all the fields required in the
builder scripts. This includes payment type and addresses. The configuration
JSON contains values for the following:

about amount arch32 bitcoin deadline debug demo extension ignore iv jobs key
maxsize monero name nolog nonote note note_name persist recommend secdel session
static symbols target_id targets tox verbose xor_key

Example config.json

Seven of the victim subfolders contained corresponding config.json files and
compiled encryptor & decryptor tools. All of the JSON files have similar values
assigned for the requisite field. All of the targets were configured with the
same payment address (BTC 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3). Other requisite
values are repeated across campaigns as well. This includes the values for
“key”, “bitcoin” and “extension”. The extension on all fully-configured builds
(potentially separate attack campaigns) is .lmallox.

SHA1 Hash Bitcoin Extension Key Amount fbb89744bc9f65719bd5415dcf1ec9a74b24254e
18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3 .lmallox
smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= 500.0
55dc4541b72a804a7edf324d6a388569a68a2986 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3
.lmallox smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= 500.0
78c27c7ac1da97dc822b4af7be5f15d68f9c5e4f 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3
.lmallox smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= 500.0
d94f890a8c92cbce50d89da2792bcfc24894c004 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3
.lmallox smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= 500.0
16ec82ac2caf0c2e4812a636dbff4bd8ef84d5c3 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3
.lmallox smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= 500.0
66cab82b64fbb03fecf7ca7f9ed295404a9bfe2b 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3
.lmallox smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= 500.0
0bbd9a8ddbb68e2658ea4c0a4106c7406a392098 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3
.lmallox smHKnqN7S1ehBz4zxya6ddwys39PJHbF7LlqIS1+Fq4= 500.0

The configuration files also contain the full text template for the ransom
notes, with associated Client IDs, and additional communication channels.

Tox ID: 290E6890D02FBDCD92659056F9A95D80854534A4D76EE5D3A64AFD55E584EA398722EC2D3697)

WHAT ELSE WAS LEAKED?

The tools identified on the affiliate server were not limited to Linux victims.
A small cache of tools and exploits which target the Windows platform were also
hosted. These are utilized by the threat actor in the early stages of attack,
primarily for beachhead establishment and privilege escalation.

Windows-focused droppers and tools on affiliate leak site

KLAPR.ZIP extracts to KLAPR.BAT (SHA1:43377911601247920dc15e9b22eda4c57cb9e743).
This tool is provided by the affiliate to assist in the neutralization of
Kaspersky endpoint products where needed. This binary is a copy of the
“Kaspersky Lab AllProducts Password Reset v2.0” tool. This is a legitimate
support tool from Kaspersky Labs. Specific security products from Kaspersky
require an application-specific password to allow for changing of configuration
settings (locally) or other management tasks. This .BAT file resets (nullifies)
the stored password values for a multitude of Kaspersky products.

Exploit code for CVE-2024-21338 is included as well. CVE-2024-21338 is a local
privilege escalation flaw in Windows 10 and 11 where HVCI (Hypervisor-Protected
Code Integrity) is enabled. This exploit is based on the proof-of-concept code
provided in a writeup from Hakai Security. The same code is also hosted on the
hakaioffsec GitHub repository.

CVE-2024-21338 Exploit Readme

CVE-2024-21338 has been associated with other Mallox campaigns, as well as
Lazarus.

Multiple droppers for Mallox (Windows) are included, including a commented s.ps1
PowerShell script. This script, hosted at the root of the open directory,
provides a template for PowerShell privilege escalation and payload execution.
Some basic environmental discovery commands are included (e.g., Get-WmiObject
-Namespace "root\SecurityCenter2" -Class AntiVirusProduct).

s.ps1 script from Mallox affiliate leak

A Mallox (Windows) dropper named Application.jar (SHA1:
5cf67c0a1fa06101232437bee5111fefcd8e2df4) was also present. This dropper
launches a PowerShell script that downloads a copy of Mallox from the same
server (as id.exe; SHA1: 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119). The
PowerShell commands are embedded within the nested MyClass.class as Java
bytecode. MyClass.class contains reference to a temporary DNS resolution for the
host at grovik71.theweb[.]place.

DNS name revealed (grovik71.theweb[.]place)

A copy of the Java JRE (8.0.4010.10) is hosted on the affiliate server.
Jre-8u401-windows-x64.exe is a full offline installer of the JRE (SHA1:
dc3f98dded6c1f1e363db6752c512e01ac9433f3).

Finally, multiple additional dropper/payload sets were hosted at the root of the
site. These include packages split for 32 and 64 bit use, and a .LNK-based
dropper for the payloads.

Droppers separated by architecture

Reader.img and Reader+x86.img are compressed disk image files that contain
Mallox (Windows) payloads for 64 and 32 bit systems, respectively. Each of these
images contains the same .LNK launcher (SHA1:
c20e8d536804cf97584eec93d9a89c09541155bc), which is named Reader.lnk.

.LNK Launcher for Mallox (Windows)

The payload contained within these compressed images is named red.exe.

red.exe (x86) - SHA1: 29936b1aa952a89905bf0f7b7053515fd72d8c5c
red.exe (x64) - SHA1: 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119

This instance of the 64-bit payload (SHA1:
0f1aea2cf0c9f2de55d2b920618a5948c5e5e119) is identical to the prior referenced
id.exe and the hosted MSiedge.exe.

CONCLUSION

The Kryptina-derived variants of Mallox are affiliate-specific and separate from
other Linux variants of Mallox that have since emerged, an indication of how the
ransomware landscape has evolved into a complex menagerie of cross-pollinated
toolsets and non-linear codebases.

The adoption of Kryptina – a RaaS given away as a free tool after the
developer’s failure to cash-in on it – by an active Mallox affiliate represents
a kind of ‘levelling-up’ for the malware. More importantly, it demonstrates the
broader trend of ransomware commoditization.

The leakage of powerful tools like the LockBit, Yashma, and Babuk builders along
with Kryptina RaaS has obscured the lineage and proliferation of related malware
families. Individual affiliates introducing different codebases into the mix
further muddies the water, ultimately increasing the level of difficulty when
tracking these tools and understanding the scope of their use and adoption.
Looking forward, we expect to see more outlier platforms like Kryptina being
absorbed into the TTPs leveraged by more advanced threat actors.

IOCS

Files SHA1
0b9d2895d29f7d553e5613266c2319e10afdda78
0de92527430dc0794694787678294509964422e6
0e83d023b9f6c34ab029206f1f11b3457171a30a
0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
0f632f8e59b8c8b99241d0fd5ff802f31a3650cd
1379a1b08f938f9a53082150d53efadb2ad37ae5
21bacf8daa45717e87a39842ec33ad61d9d79cfe
262497702d6b7f7d4af73a90cb7d0e930f9ec355
29936b1aa952a89905bf0f7b7053515fd72d8c5c
2b3fc20c4521848f33edcf55ed3d508811c42861
341552a8650d2bdad5f3ec12e333e3153172ee66
43377911601247920dc15e9b22eda4c57cb9e743
58552820ba2271e5c3a76b30bd3a07144232b9b3
5cf67c0a1fa06101232437bee5111fefcd8e2df4
88a039be03abc7305db724079e1a85810088f900
9050419cbecc88be7a06ea823e270db16f47c1ea
93ef3578f9c3db304a979b0d9d36234396ec6ac9
a1a8922702ffa8c74aba9782cca90c939dfb15bf
b07c725edb65a879d392cd961b4cb6a876e40e2d
b27d291596cc890d283e0d3a3e08907c47e3d1cc
b768ba3e6e03a77004539ae999bb2ae7b1f12c62
c20e8d536804cf97584eec93d9a89c09541155bc
c4d988135e960e88e7acfae79a45c20e100984b6
d46fbc4a57dce813574ee312001eaad0aa4e52de
d618a9655985c33e69a4713ebe39d473a4d58cde
dc3f98dded6c1f1e363db6752c512e01ac9433f3
ee3cd3a749f5146cf6d4b36ee87913c51b9bfe93
ef2565c789316612d8103056cec25f77674d78d1
f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc

Network Comms
185[.]73.125[.]6
grovik71[.]theweb[.]place

Tox ID
290E6890D02FBDCD92659056F9A95D80854534A4D76EE5D3A64AFD55E584EA398722EC2D3697

BTC Address
18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3

Ransomware

PDF

JIM WALTER

Jim Walter is a Senior Threat Researcher at SentinelOne focusing on evolving
trends, actors, and tactics within the thriving ecosystem of cybercrime and
crimeware. He specializes in the discovery and analysis of emerging cybercrime
"services" and evolving communication channels leveraged by mid-level criminal
organizations. Jim joined SentinelOne following ~4 years at a security start-up,
also focused on malware research and organized crime. Previously, he spent over
17 years at McAfee/Intel running their Threat Intelligence and Advanced Threat
Research teams.

LABSCON23 REPLAY | THEY SPILLED OIL IN MY HEALTH-BOOSTING SMOOTHIE

CHINA’S INFLUENCE OPS | TWISTING TALES OF VOLT TYPHOON AT HOME AND ABROAD

CYBERVOLK | A DEEP DIVE INTO THE HACKTIVISTS, TOOLS AND RANSOMWARE FUELING
PRO-RUSSIAN CYBER ATTACKS

November 25 2024

XEON SENDER | SMS SPAM SHIPPING MULTI-TOOL TARGETING SAAS CREDENTIALS

August 19 2024

NULLBULGE | THREAT ACTOR MASQUERADES AS HACKTIVIST GROUP REBELLING AGAINST AI

July 16 2024

Search ...

Get notified when we post new content.

Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Notice. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.

Thanks! Keep an eye out for new content!

www.sentinelone.com Open in urlscan Pro 104.26.3.18 Public Scan

Form analysis 6 forms found in the DOM

GET https://www.sentinelone.com

GET https://www.sentinelone.com/

Text Content

www.sentinelone.com Open in urlscan Pro
104.26.3.18 Public Scan

Form analysis
6 forms found in the DOM