[ad_1]
‘Mamona’ launches leaves few traces and concludes within seconds
Cybersecurity researchers have uncovered a new ransomware strain that is drawing attention for its minimalist yet dangerously effective design.
Named Mamona, the malware operates entirely offline, slipping past traditional detection systems by executing locally without reaching out to external command-and-control (C2) servers – exposing a major blind spot in conventional cybersecurity strategies.
Researchers at Wazuh say Mamona’s self-contained nature makes it difficult to detect using standard tools that rely on monitoring network traffic.
Executed as a standalone binary on Windows systems, Mamona launches a subtle attack sequence that leaves behind few traces and concludes within seconds.
“When you hear about ransomware, your first educated guess is usually a threat that comes from the outside, exfiltrates sensitive files, encrypts the local versions, and then demands a ransom. Pretty much the full ransomware cycle.
“But this one is different. It has no network communication at all, acting surprisingly as a mute ransomware. So far, the only connections it attempts are local, plus one to port 80 (HTTP), where no data is actually sent or received,” said analyst Mauro Eldritch in a blog post.
A silent strike
When launched, Mamona triggers a three-second delay using a subtly modified command: cmd.exe /C ping 127.0.0.7 -n 3 > Nul & Del /f /q. This delay, while seemingly benign, buys the malware time to complete its tasks and then delete itself.
Notably, it uses IP address 127.0.0.7 instead of the more common 127.0.0.1, enabling it to bypass basic pattern-matching detection rules.
After execution, Mamona encrypts local files and renames them with the .HAes extension. It also drops a ransom note titled README.HAes.txt in affected directories before vanishing from the system.
This combination of quick encryption, silent execution and forensic self-wipe makes Mamona especially challenging to investigate after the attack.
Because Mamona leaves minimal digital artefacts, traditional antivirus solutions that rely on signatures or outbound connection tracking are rendered less effective.
Wazuh relies on a behavioural detection approach using Sysmon for log collection and custom rules to detect suspicious patterns:
- Rule 100901 monitors for the creation of the ransom note (README.HAes.txt).
- Rule 100902 looks for a combination of behaviours – the ping delay and file self-deletion – to confirm the presence of Mamona.
These methods are augmented by YARA rules and a real-time file integrity monitoring system.
Mamona’s compact design marks a growing trend: the commoditisation of cyber attacks. No longer do attackers need complex infrastructures or sophisticated evasion mechanisms. With Mamona, the weapon is ready-made and deceptively easy to deploy.
While the malware lacks advanced stealth features seen in more sophisticated families, its sheer speed and self-sufficiency are enough to outpace slower, more reactive security systems.
Wazuh stresses that the emergence of Mamona demands a re-evaluation of what counts as “best-in-class” antivirus and endpoint protection. As malware grows leaner and more efficient, defenders must adopt modular, flexible strategies with real-time capabilities.
[ad_2]
