CyberWire Daily - Diving deep into Phobos ransomware. [Research Saturday]
Episode Date: January 6, 2024Guilherme Venere from Cisco Talos joins to discuss their research on "A deep dive into Phobos ransomware, recently deployed by 8Base group." Cisco Talos discovered that 8Base’s Phobos ransomware pay...load contains an embedded configuration, which is a significant difference between 8Base’s Phobos variant and other Phobos samples that have been observed in the wild since 2019. In this 2-part research series, Talos conducts a deep dive into the Phobos ransomware, including its affiliate structure, activity and capabilities, as well as the one private key that could enable decryption of all the samples analyzed. The research can be found here: A deep dive into Phobos ransomware, recently deployed by 8Base group Understanding the Phobos affiliate structure and activity Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
The reason I started this research is that back in March of this year,
we started seeing a lot of activity from this new group at the time called 8Base.
That's Guilherme Venere, a threat researcher with Cisco Talos.
Today we're discussing a deep dive into Phobos ransomware recently deployed by 8Base Group.
It was a group that hasn't been seen before in terms of ransomware.
And when I started analyzing the incidents and look at the malware that was being used in the 8BASE attacks,
I noticed that it has a lot of similarities to Phobos.
I noticed that it has a lot of similarities to Phobos.
And then I started diving into the campaign and the similarities that 8Base and Phobos had
to understand how much it was similar to previous Phobos campaigns.
Phobos is a pretty old malware.
It's used by a lot of different actors.
So I wanted to understand what 8Base was doing differently from these other campaigns.
Well, let's dig into Phobos itself, I suppose, as an introduction, maybe a little brief explainer here.
How does Phobos work and what are its capabilities?
Yes, Phobos is, like I said, it's a pretty old piece of malware. It was first developed in 2018, 2019, based on a leak of another ransomware called Dharma Crisis.
At the time, the code for Dharma Crisis was leaked in some forums.
Someone took this code and developed a new malware that they called Phobos.
someone took this code and developed a new malware that they called Phobos.
Since then, and this is part of our research,
there was no new developments in Phobos in terms of code.
There was no new improvements in the code itself.
So when we saw the events caused by 8Base,
I wanted to understand why they were so successful and so active using a piece of malware that in theory should have been detected by everybody.
And that's a part of the first research where we tried to understand how 8Base was using Fogos
in their campaigns. Well, let's dig into that specifically. What did you find there?
The first thing that I noticed is that the samples that 8Base was using,
the malware that 8Base was using to infect the machines and encrypt the machines,
was actually bigger in terms of size than a common Phobos binary.
When I look at the samples, I noticed that they were very obfuscated,
which means that the code in the file itself was very different from the original Phobos code.
And I noticed that they were using a piece of software called a loader, which is another malware that is used to load different payloads into the user's machine.
This malware is called SmokeLoader, and it's heavily obfuscated.
The code is very difficult and it mutates a lot, so it's very difficult to analyze.
very difficult to analyze.
8Base was using this loader to drop the 8Base,
the Ronsor Fobos,
on the machine of the infected victims.
Is it fair to call what 8Base is using Fobos?
I mean, is it close enough to the original
that it's still the same thing?
Yes.
Once we peel this
layer of obfuscation added
by Smoke Loader, the
final ransomware
binary inside the loader
is exactly the same
as any other Phobos campaign
that we observed in the past five
years, basically.
So the first
blog that we published, the Deep dive into Phobos ransomware,
actually has an analysis of the code of faith-based samples compared to previous variants of Phobos
found in the last five years. So I compared with samples from 2019, 2020, 2022, and noticed that the code didn't change at all in all of these cases.
Only the original samples from 2019 were a little different,
but after that, they were exactly the same code.
The only difference in terms of content was the configuration file
that we found inside the samples, the configuration data that we found inside the samples.
This configuration data,
it's what changes between one sample and the other.
So for each campaign, each tradactor
that we observed using Phobos,
this configuration is the only change
that exists in these files.
Hmm.
Well, let's dig into Phobos' capabilities here. What can it do?
Phobos is a common ransomware capable of encrypting files on a user's machine.
So in order to do that, it has two methods of encryption.
One is for files of small size, less than 1.3 megabytes, where it encrypts the entire file.
size, less than 1.3 megabytes, where it encrypts the entire file.
The encryption happens by creating a random encryption key called an AES key for each file that is encrypted.
This random AES key is then added to the end of the file, and along with some metadata
about that file, for example, the original name of the file, original size, things like that.
And this data at the end of the file is encrypted with an RSA key.
That RSA key is what is used to decrypt the file later if the user paid the ransom.
So that's the first method.
The second method is in case the file is big.
In order to make the encryption faster,
Fobos don't encrypt the entire file,
it encrypts parts of the file.
So random blocks inside the file will be encrypted.
Again, the metadata and the key used to encrypt
that file will be saved at the end of
the file encrypted with RSA key.
One thing that we notice in all Phobos variants that we analyze,
is that this RSA key that is used there is the same for all the samples,
which means that there is one single private key that is able to
decrypt all these infections, all these encrypted files.
Besides this ransomware encryption feature,
Phobos is capable of encrypting files on remote shares. It also contains code to
elevate its privileges in case the sample is running, the file is running as a restricted user.
And it has other common features like adding itself to a run key,
adding itself to the startup menu,
so it can restart in fashion once the user reboots the machine.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
ransomware attacks and a $75 million record payout in 2024, these traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than
ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops
attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
What can you tell us in terms of command and control?
Yeah, Fogos don't have a typical command and control structure.
In theory, it doesn't report the infection to a central authority,
although one piece of code that we found in our analysis was called to do exactly that,
but we never found a sample that actually used this feature.
So the code itself has the feature to report to a central authority,
but there is no sample where this feature is enabled.
So the method by how the user contact the ransomware actors is by
contacting them through an email or Telegram channel. So this is something
that is common in ransomware,
although there are some ransomware that use a command control feature.
Phobos itself doesn't have this ability.
It doesn't receive commands from a central server.
It doesn't report transactions back.
It just encrypts the files and lets the user contact the actors.
This group, 8Base, how do you rank their sophistication here?
I mean, it sounds to me like they're reusing Phobos,
but in addition, there is this layer of obfuscation that they put over top of it.
What's your insight there?
Yeah, one thing that stands out in our research is that
the attacks themselves are not very complex.
They use Phobos, which is a very common piece of software.
Smoke loader is also a very common obfuscator that is used by many malware families.
The method of infecting a victim's network, according to other research into Eight Bays,
is basically buying credentials from data leaks and using the usernames and passwords that they find to connect to the remote machines using RDP. So they basically connect to remote RDP servers and enter the victim's network
by these compromised accounts. Once inside the network, they attempt to access important servers
inside this network. So we noticed that TakeBase likes to target ESXi servers. So servers that are running a lot of VMs
and they encrypt the server itself.
So that would have a bigger impact on the victim
than just encrypting like desktops or user machines.
In terms of complexity, their attacks are not very complex,
but they are very effective because they use
things that people usually don't take care of. For example, reusing credentials or credentials
that have been leaked are not reset and things like that. So they are very effective in using
these common methods of infecting a victim to get access to their network.
You also dig into the Phobos affiliate structure and the activity that you've been keeping
an eye on there.
What can you share with us about that?
Yeah, one of the takes from the analysis that we did on the configuration of Phobos
is that inside the configuration,
there is a lot of information about the groups that use Phobos.
So the configuration have items like the extension that is used,
which includes an email that is used to contact the tradactors,
includes the extension that is used to encrypt the file,
which is usually the name of the group that is behind it.
And it contains a specific item that is a list of extensions that should be avoided by the ransomware.
So when the ransomware finds a file with that extension in that list, it won't encrypt that file.
a file with that extension in that list, it won't encrypt that file.
That list contain a list of
extensions related to other groups using Phobos.
For example, the 8-base samples had a list of
about 20 or 30 extensions
from other groups that used Phobos before.
That sample should not encrypt. And that's what gave us a good
overview of how many groups are using Phobos. By analyzing around a thousand samples that we found
in public resources, we were able to extract around 110 different groups or thread actors
than 10 different groups or thread actors that are using Fobos, right?
Based on the extensions that are used by these thread actors.
And looking at the emails that are used to contact the thread actors, we found that some of these groups have more than 100 people behind them.
For example, Faust is one of the most common variants of Fobos. It encrypts the
file with the extension Faust, F-A-U-S-T. And the emails that are used to contact the actors,
we found more than 100 emails over time that were used to contact the thread actors. So we started to notice that Fobos is not a common ransomware
in terms of how they are distributed.
It's not a single group that is behind it.
It seems to be a malware that is sold to other groups
that configure the malware to its liking,
for example, with extensions that they want.
And then these groups hire other actors to distribute the samples.
So you have two layers of services that are sold to distribute
Fobos in the underground.
Right.
So that's one thing that we found
by analyzing all these samples
and the configurations inside the samples.
It's a lot of people behind these campaigns,
a lot of different campaigns in the last five years
that really makes it difficult to track Fobos
to a specific group or a specific developer or who created
or who managed this malware?
Yeah.
So what are your recommendations then, based on the information that you've gathered here?
How should people best protect themselves against this?
The recommendations here are very common in terms of what you need to do
to keep your network secure. Like I mentioned before,
a base doesn't use anything very complex to infect
their victims. And that was a common
behavior among the
different campaigns that we observe.
We recommend that users,
that companies that have remote access enabled,
that they put better controls in who can access
these resources or what they can do once they access the resources.
We recommend that credentials that have been leaked or that are known to be leaked
be reset and be monitored for access from unknown sources, for example. So this will prevent RDP
access like 8Base used to access these victims. Security tools that are used to detect
security tools that are used to detect uncommon behavior. For example, a file that is
encrypting a lot of samples, a lot of files in a user's machine, it has
a sequence of events that it creates that most of the
security tools in use can detect. But if the security tools are
not configured properly, they will not detect. But if the security tools are not configured properly,
they will not detect.
In general, just keep an eye on the security tools and
take any event that is generated by them seriously,
and analyze these events and see if there is
nothing else behind a simple event.
For example, if your security tool detects that backups
were disabled on a machine, that's a common behavior from ransomware that disable the
backups in the machine before encrypting the files. So if you see a machine that has backups
disabled, you need to act immediately before the encryption starts.
Our thanks to Guilherme Vannere from Cisco Talos for joining us.
The research is titled A Deep Dive into Phobos Ransomware,
recently deployed by 8BASE Group. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Thank you. Learn more at n2k.com. This episode was produced by Liz Ervin, with mixing by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.