Warning Against Phobos Ransomware Distributed via Vulnerable RDP – ASEC BLOG

AhnLab Security Emergency response Center (ASEC) has recently discovered the active distribution of the Phobos ransomware. Phobos is a variant known for sharing technical and operational similarities with the Dharma and CrySis ransomware. These ransomware strains typically target externally exposed Remote Desktop Protocol (RDP) services with vulnerable securities as attack vectors. Given the frequent occurrence of ransomware distribution that leverages these vulnerable RDPs as initial access points, administrators are advised to be cautious. [1] [2] [3]

1. Phobos Ransomware Overview

Phobos ransomware is known for appending the following information after the original extensions of files upon infection: “infected PC’s Volume Serial Number (VSN)”, “threat actor’s email address”, etc.

 <Original file name>.<Original extension>.id[<VSN>-<4-digit fixed number>].[<Threat actor’s email address>].<Ransomware extension>

Figure 1. Extensions being changed upon Phobos ransomware infection

The ransom note generated after infection is created in the form of “info.txt” and “info.hta” files as shown below. One can find the threat actor’s email information in the ransom note for the purpose of paying the ransom.

Figure 2. Phobos ransomware’s ransom note (info.txt)
Figure 3. Phobos ransomware’s ransom note (info.hta)

Phobos ransomware’s ransom note generation process occurs after the encryption process has been completed for both local and network drives. The malware creates a ransom note in each directory where the encryption has been performed as well as the following paths:

  • %USERPROFILE%Desktopinfo.hta
  • %USERPROFILE%Desktopinfo.txt
  • %public%Desktopinfo.hta
  • %public%Desktopinfo.txt
  • <drive_roots>info.hta
  • <drive_roots>info.txt
Figure 4. Phobos ransomware’s ransom note generation routine

2. Phobos Ransomware Main Features

Maintaining Persistence

When Phobos ransomware is executed, it maintains persistence by copying malware to the %LOCALAPPDATA% path and registering it in the following Run keys. This allows the ransomware to restart even after the reboot process.

  • HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun

Encryption Targets and Exception Conditions

Phobos ransomware encrypts all files present on a system, excluding those set as exceptions with the following paths, extensions, and file names. In addition to Phobos variant extensions such as “phobos” and “eking”, non-Phobos extensions have also been confirmed to be exempted from encryption, such as “makop”. This is likely done for the purpose of excluding files already infected by other ransomware. Furthermore, the exception “file names”, “extensions”, and “path information” exist in an AES-encrypted form within the malware file. These are decrypted and used during the execution of the malware.

Overview Details
Directories excluded from encryption %SystemRoot%, %ProgramData%microsoftwindowscaches
Extensions excluded from encryption Faust (target ransomware sample extension), actin, dike, acton, actor, acuff, file, acuna, fullz,
mmxxii, kmrox, 6y8dghklp, shtorm, nurri, ghost, ff6om6, blue, nx, backjohn, own, fs23,
2qz3, top, blackrock, chcrbo, g-stars, faust, unknown, steel, worry, win, duck, fopra,
unique, acute, adage, make, adair, mlf, magic, adame, banhu, banjo, banks, banta,
barak, caleb, cales, caley, calix, calle, calum, calvo, deuce, dever, devil, devoe,
devon, devos, dewar, eight, eject, eking, elbie, elbow, elder, phobos, help, blend,
bqux, com, mamba, karlos, ddos, phoenix, plut, karma, bbc, capital, wallet, lks,
tech, s1g2n3a4l, murk, makop, ebaka, jook, logan, fiasko, gucci, decrypt, ooh,
non, grt, lizard, flscrypt, sdk, 2023, vhdv
File names excluded from encryption info.hta, info.txt, boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, wang, [malware name].exe
Table 1. Example of Phobos ransomware encryption exception conditions

Additionally, the ransomware has a feature to retrieve the locale information of the infected system. If it detects a certain language environment, it will not infect the system and terminate itself. This behavior is determined by the config settings.

Figure 5. Routine to check the system locale

Terminated Processes

Upon infection, Phobos ransomware forcibly terminates the documents, email clients, database programs, etc. in the table shown below. This is done in order to encrypt more files during the file encryption process by preventing the encryption process from being interrupted due to reasons such as file handles being occupied. The process strings targeted for termination exist in an AES-encrypted form within the malware file and are decrypted and used during the execution process.

List of Terminated Processes
msftesql.exe sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe agntsvc.exe mydesktopqos.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe agntsvc.exe agntsvc.exe agntsvc.exe encsvc.exe firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe excel.exe infopath.exe msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe steam.exe thebat.exe thebat64.exe thunderbird.exe visio.exe winword.exe wordpad.exe
Table 2. List of terminated processes

Disabling Firewall and Deleting Volume Shadow Copies

Phobos ransomware decodes the AES-encrypted command strings and executes them as arguments of the “cmd.exe” process. This method is used to disable the firewall and delete volume shadow copies.

Figure 6. Command execution (disable the firewall: 0x2A, delete volume shadow copies: 0x2B)
Overview Details
Disable the firewall netsh  advfirewall set currentprofile state off
netsh  firewall set opmode mode=disable
Prevent recovery vssadmin  delete shadows /all /quiet
wmic  shadowcopy delete
bcdedit  /set {default} bootstatuspolicy ignoreallfailures
bcdedit  /set {default} recoveryenabled no
Table 3. Phobos ransomware’s feature to disable the firewall and prevent recovery
Figure 7. Commands for disabling the firewall
Figure 8. Commands for deleting volume shadow copies

Encrypting Local and Network Shared Folders

Phobos ransomware provides the encryption feature for local and network resources via the AES-CBC mode.

Figure 9. Target files encrypted via AES

During the encryption process for local drives, Phobos ransomware identifies currently available drives using the GetLogicalDrives() API. It selects the target drives for encryption by searching for a bitmask for the identified drives. Afterward, it encrypts the selected target drive.

Figure 10. Phobos ransomware encrypting local drives

Phobos ransomware is one of the main ransomware that support the encryption feature for network shared folders. In order to accomplish such a process, the ransomware lists existing or currently connected network shared resources by individually designating and making multiple calls to RESOURCE_CONNECTED, RESOURCE_RECENT, RESOURCE_CONTEXT, RESOURCE_REMEMBERED, and RESOURCE_GLOBALNET with the WNetOpenEnumW() API’s dwScope argument. Afterward, encryption is carried out by calling an encryption thread for each selected network resource.

Figure 11. Phobos ransomware encrypting network shared folders

3. Conclusion

Externally exposed RDP services with vulnerable securities are common attack vectors that are consistently utilized by numerous threat actors during the initial infiltration and lateral movement processes. Attacks on such RDP services typically involve brute force and dictionary attacks on systems where account credentials are poorly managed. Many ransomware threat actors, including those behind the Dharma and Phobos variants derived from Crysis, often use vulnerable RDP services as their primary initial attack vectors.

Users can deactivate RDP when not in use to decrease the number of attack attempts. If RDP is being used, it is advised to use a complex account password and to change it periodically to prevent brute force and dictionary attacks. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Ransomware/Win.Phobos.R363595 (2023.08.24.00)

Behavior Detection
– Ransom/MDP.Decoy.M1171
– Ransom/MDP.Command.M2255

IOC
MD5

– d221b0a793cd10b00b0c1f943f6c1b63
– c6936c5cf4307a8bb793dbc7a9dcb9f1
– 5cfee29eae9f476e8b32491f4ef8ae2f
– 6cfa3d34a929cabcc54229b6e100a633
– bd7756138f48dc4ec8088e23ef6a4c80
– 0ef558c14d9894b6a011c9473c0f17c3
– 38bc0f4ac3bb83c5b7a041746b014910
– f2e4746363ba1c940fa315f737dd8a46
– 5b672f45d525b56eb0c4c146214f267e
– 9043580b1766661d8fde0d3e88026de1

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/58753/