X-Industry

Last February of 2024, researchers at SentinelOne posted a write-up on Kryptina Ransomware-as-a-Service (RaaS), a free and open-source RaaS platform written for Linux.  At the time, Kryptina provided all the components required to host a fully functional RaaS platform.  This included automating payloads, managing multiple groups and campaigns nested within, and configuring the ransom payment requirements, such as the amount and type of payment. Despite such functionality, the offering struggled to attract much interest from dark market customers.

In May 2024, an affiliate of the Mallox RaaS exposed one of their staging servers.  As a result of this leak, Sentinel identified Kryptina RaaS to be the platform on which the affiliate’s Linux variants were based.  The affiliate threat actor called this Linux variant “Mallox v1.0”.  This ‘evolution’ of Kryptina is notable in a rags-to-riches sort of way.  In a few months, the tool went from an unsellable giveaway in public forums to being observed in active SMB/Enterprise attacks.

The below report explores the data exposed in the open directory leak, detailing differences between the original Kryptina RaaS (v2.2) and the modified version branded under the Mallox moniker.

Brief History of Kryptina & Mallox -  Mallox (aka TargetCompany) ransomware is a longstanding, Enterprise-focused, RaaS. The family emerged in 2021 and is sometimes referred to as FARGO, XOLLAM, or BOZON due to the extension appended to encrypted files in some variants.  Mallox operators are known to opportunistically target ‘timely’ vulnerabilities (e.g., MSSQL Server). Individual affiliate behavior will vary, though this exploitation style and brute force attacks to establish initial access are common across Mallox campaigns.  Kryptina was first offered for sale by the “Corlys” identity in December 2023.  The price for the full suite, at the time, was $500.00, and later raised to $800.00.  

In February 2024, “Corlys” halted Kryptina's active sales and subsequently posted the full source code to BreachForums. 

In May 2024, an open directory containing staged payloads, Mallox builder tools, and the source was discovered. This staging server, erected by a Mallox affiliate, hosts several attacker-related tools.

The first discovery of an open directory on the Mallox affiliate server

The staging server, hosted on 185[.]73.125[.]6, contained numerous archives and payloads specific to the Windows version of Mallox.

Mallox staging server with web application and source

However, the affiliate’s server also contained all the (modified) source files for Kryptina, including the accessible web server and interface for building Mallox Linux (Kryptina) payloads, as well as managing separate infection campaigns.

Kryptina source files in Mallox leak

Kryptina database in Mallox leak

The use of Kryptina by this affiliate appears to be singular: other Linux variants of Mallox are not based on Kryptina, further complicating the relationship between Kryptina and Mallox.

Customizing Kryptina - Encryption and decryption routines in “Mallox Linux 1.0” are identical to the original Kryptina. To recap from our previous write-up:  “Individual file encryption is achieved through the use of AES256 in CBC mode. The keys and configuration data are obfuscated via XOR and then base64 encoded (the XOR key depends on the value set in the builder or scripts). The krptna_process_file() function is responsible for file encryption. This function is a typical implementation of file encryption/decryption using the AES-256-CBC algorithm in OpenSSL.  This function initializes an OpenSSL cipher context EVP_CIPHER_CTX_new(). This is passed to the appropriate function, depending on the mode chosen in the builder configuration (demo mode, etc). File input and output streams are processed via EVP_CipherUpdate(), which transforms unencrypted file data to the encrypted data in the output buffer. This is then written to the final output file (as the modified/encrypted file). EVP_CipherFinal finalizes the processes handling any padding (integral to CBC mode).  All the legacy Kryptina code is included in the /src folder of the affiliates server, with the files themselves even retaining the Kryptina naming conventions and references to known functions (e.g., krptna_process_file()).”

Kryptina-specific functions in Mallox Linux 1.0

Except for the aforementioned Kryptina database, the Kryptina branding has been stripped from most of the source and support files for “Mallox Linux 1.0”.

Mallox Linux 1.0 documentation

Documentation for the Kryptina-derived Mallox variations is included, though it is a distilled version of the original Kryptina documentation.  The original Kryptia PDF (SHA1: d46fbc4a57dce813574ee312001eaad0aa4e52de) has been slimmed down and included as docs.md.  Included sections have been translated to Russian from the original English version.

Original Kryptina RaaS documentation

Modified Mallox Linux 1.0 documentation

The updated Mallox Linux 1.0 documentation contains sections covering basic features, environmental setup (dependencies and version affinities), and setup and configuration of phpMyAdmin and the backend DB (MySQL).
Mallox Linux 1.0 dependencies

Mallox Linux 1.0 DB (MySQL) configuration

The affiliate made a few changes to the Kryptina source files and scripts to remove references to Kryptina and associate the comments and naming conventions to those of Mallox.  Ransom note templates are structured similarly to the original Kryptina version. The \note folder on the affiliate server contains the template source, which can be customized directly or via the Kryptina web UI. The template for the ransom note was updated to remove the Kryptina 2.x references, replacing them with Mallox v1.0.

Kryptina original ransom note template
Mallox 1.0 ransom note template

The main source files for “Mallox 1.0” were held in the /src folder of the affiliate server.  The original names of the encryptor and decryptor source files (kryptina.c and kryptina.h) retain the Kryptina-centric names.  The only operational change to the Kryptina encryptor code is updating printed output in Debug mode (updated to Mallox).  Aside from changing comments in the file to reference Mallox and removing references to the Kryptina author (“Corlys”), the source is unchanged.

Mallox 1.0 src, with KRPTNA_DEBUG printf ->Mallox
Original Kryptina 2.2 kryptina.c source file
Mallox 1.0 kryptina.c source file

Kryptina’s original scripting_demo.py file provided threat actors with a way to build Linux payloads via the command line.  All the requisite fields are provided in the template. This allows for quick and automated builds.  While these scripted builds are not reflected in the web UI, they can be a valuable tool to a threat actor wanting to streamline the automation of new builds over time.  The scripting_demo.py file has been minimally updated to reflect Mallox branding over Kryptina.  References to “Corlys” have been removed as well.
Original Kryptina scripting_demo.py source file
Mallox 1.0 scripting_demo.py source file

Comparing Kryptina and Mallox makefiles: The makefile is used when building encryptor and decryptor payloads. It can be called directly via script or via the web UI while building payloads within campaigns.

Kryptina (and subsequently Mallox 1.0) supports multiple modes within the compiled payloads. These are:

demo – builds a demo version of Kryptina, no encryption

debug – provides customized debug output

symbols – provides debug build with debug symbols (-ggdb3)

arch32 – output 32-bit payload

Additional parameter values are provided for other conditions present in the builder. This includes the ability to customize the XOR critical used for encoding the encrypted configuration data within payloads (xor), thread count to use during the encryption process (jobs), toggling of the self-deletion feature (persist), and filesize constraints (max size) to enforce during encryption (e.g., the maximum size of the file to attempt to decrypt). Secure deletion (wiper’esque capability) can be toggled via the secdel parameter.

Example makefiles from the original Kryptina package and the Mallox-modified package appear as follows:
Kryptina makefile
Mallox Linux 1.0 makefile

Victim Subfolders

The May 2024 affiliate leak also contained target-specific output folders for 14 targets (potential victims). Some of this information was previously detailed here.

In the \output folder, subfolders exist for each target (unique ‘Target Name’ value).

Output folder on the affiliate staging server

Some folders contain config.json files (builder configuration) alongside the matching encryptor/decryptor binary pairs. There are also empty folders, meaning those targets were defined, but payloads have yet to be built.
Affiliate output directory with payloads and configs

Each config file contains values for all the fields required in the builder scripts. This includes payment types and addresses.  The configuration JSON contains values for the following:

Example config.json

Seven victim subfolders contained corresponding config.json files and compiled encryptor & decryptor tools.  All of the JSON files have similar values assigned for the requisite field. All targets were configured with the same payment address (BTC 18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3).  Other requisite values are repeated across campaigns as well. This includes the values for “key”, “bitcoin” and “extension”.  The extension on all fully configured builds (potentially separate attack campaigns) is .lmallox.

The configuration files also contain the ransom notes' full-text template, associated Client IDs, and additional communication channels.

Tox ID: 290E6890D02FBDCD92659056F9A95D80854534A4D76EE5D3A64AFD55E584EA398722EC2D3697)

What Else Was Leaked? The tools identified on the affiliate server were not limited to Linux victims. A small cache of tools and exploits targeting the Windows platform was also hosted. The threat actor utilizes these in the early stages of the attack, primarily for beachhead establishment and privilege escalation.
Windows-focused droppers and tools on affiliate leak site

KLAPR.ZIP extracts to KLAPR.BAT (SHA1:43377911601247920dc15e9b22eda4c57cb9e743).  The affiliate provides this tool to assist in the neutralization of Kaspersky endpoint products where needed.  This binary is a copy of the “Kaspersky Lab AllProducts Password Reset v2.0” tool.  This is a legitimate support tool from Kaspersky Labs.  Specific security products from Kaspersky require an application-specific password to allow for changing configuration settings (locally) or other management tasks. This .BAT file resets (nullifies) the stored password values for many Kaspersky products.

The exploit code for CVE-2024-21338 is included as well. CVE-2024-21338 is a local privilege escalation flaw in Windows 10 and 11, where HVCI (Hypervisor-Protected Code Integrity) is enabled.  This exploit is based on the proof-of-concept code provided in a writeup from Hakai Security.  The same code is also hosted on the hakaioffsec GitHub repository.

CVE-2024-21338 Exploit Readme

CVE-2024-21338 has been associated with other Mallox campaigns, as well as Lazarus.  Multiple Mallox (Windows) droppers are included, including a commented s.ps1 PowerShell script.  This script, hosted at the root of the open directory, provides a template for PowerShell privilege escalation and payload execution.  Some basic environmental discovery commands are included (e.g., Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct).
s.ps1 script from Mallox affiliate leak

A Mallox (Windows) dropper named Application.jar (SHA1: 5cf67c0a1fa06101232437bee5111fefcd8e2df4) was also present. This dropper launches a PowerShell script that downloads a copy of Mallox from the same server (as id.exe; SHA1: 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119). The PowerShell commands are embedded within the nested MyClass.class as Java bytecode.  MyClass.class references a temporary DNS resolution for the host at grovik71.theweb[.]place.

DNS name revealed (grovik71.theweb[.]place)

The affiliate server hosts a copy of the Java JRE (8.0.4010.10). Jre-8u401-windows-x64.exe is a full offline installer of the JRE (SHA1: dc3f98dded6c1f1e363db6752c512e01ac9433f3).

Finally, multiple additional dropper/payload sets were hosted at the site's root. These include packages split for 32- and 64-bit use and an LNK-based dropper for the payloads.
Droppers are separated by architecture.

Reader.img and Reader+x86.img are compressed disk image files that contain Mallox (Windows) payloads for 64- and 32-bit systems, respectively.

Each image contains the same .LNK launcher (SHA1: c20e8d536804cf97584eec93d9a89c09541155bc) named Reader.lnk.

.LNK Launcher for Mallox (Windows)

The payload contained within these compressed images is named red.exe.

red.exe (x86) - SHA1: 29936b1aa952a89905bf0f7b7053515fd72d8c5c

red.exe (x64) - SHA1: 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119

This instance of the 64-bit payload (SHA1: 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119) is identical to the prior referenced id.exe and the hosted MSiedge.exe.

Conclusion

The Kryptina-derived variants of Mallox are affiliate-specific and separate from other Linux variants of Mallox that have since emerged, indicating how the ransomware landscape has evolved into a complex menagerie of cross-pollinated toolsets and non-linear codebases.

The adoption of Kryptina, a RaaS given away as a free tool after the developer failed to cash in on it by an active Mallox affiliate, represents a kind of ‘levelling-up’ for the malware. More importantly, it demonstrates the broader trend of ransomware commoditization.

The leakage of powerful tools like the LockBit, Yashma, Babuk builders, and Kryptina RaaS has obscured the lineage and proliferation of related malware families.  Individual affiliates introducing different codebases into the mix further muddies the water, ultimately increasing difficulty when tracking these tools and understanding their use and adoption scope.  Looking forward, we expect to see more outlier platforms like Kryptina being absorbed into the TTPs leveraged by more advanced threat actors.

IOCs

Files SHA1
0b9d2895d29f7d553e5613266c2319e10afdda78
0de92527430dc0794694787678294509964422e6
0e83d023b9f6c34ab029206f1f11b3457171a30a
0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
0f632f8e59b8c8b99241d0fd5ff802f31a3650cd
1379a1b08f938f9a53082150d53efadb2ad37ae5
21bacf8daa45717e87a39842ec33ad61d9d79cfe
262497702d6b7f7d4af73a90cb7d0e930f9ec355
29936b1aa952a89905bf0f7b7053515fd72d8c5c
2b3fc20c4521848f33edcf55ed3d508811c42861
341552a8650d2bdad5f3ec12e333e3153172ee66
43377911601247920dc15e9b22eda4c57cb9e743
58552820ba2271e5c3a76b30bd3a07144232b9b3
5cf67c0a1fa06101232437bee5111fefcd8e2df4
88a039be03abc7305db724079e1a85810088f900
9050419cbecc88be7a06ea823e270db16f47c1ea
93ef3578f9c3db304a979b0d9d36234396ec6ac9
a1a8922702ffa8c74aba9782cca90c939dfb15bf
b07c725edb65a879d392cd961b4cb6a876e40e2d
b27d291596cc890d283e0d3a3e08907c47e3d1cc
b768ba3e6e03a77004539ae999bb2ae7b1f12c62
c20e8d536804cf97584eec93d9a89c09541155bc
c4d988135e960e88e7acfae79a45c20e100984b6
d46fbc4a57dce813574ee312001eaad0aa4e52de
d618a9655985c33e69a4713ebe39d473a4d58cde
dc3f98dded6c1f1e363db6752c512e01ac9433f3
ee3cd3a749f5146cf6d4b36ee87913c51b9bfe93
ef2565c789316612d8103056cec25f77674d78d1
f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc

Network Comms
185[.]73.125[.]6
grovik71[.]theweb[.]place

Tox ID
290E6890D02FBDCD92659056F9A95D80854534A4D76EE5D3A64AFD55E584EA398722EC2D3697

BTC Address
18CUq89XR81Y7Ju2UBjER14fYWTfVwpGP3

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance provides Cyber Threat Analysis and Intelligence Services for our clients.  We provide valuable indicators of compromised information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424