AhnLab Security Emergency response Center (ASEC) has recently discovered the active distribution of the Phobos ransomware. Phobos is a variant known for sharing technical and operational similarities with the Dharma and CrySis ransomware. These ransomware strains typically target externally exposed Remote Desktop Protocol (RDP) services with vulnerable securities as attack vectors. Given the frequent occurrence of ransomware distribution that leverages these vulnerable RDPs as initial access points, administrators are advised to be cautious. [1] [2] [3]
1. Phobos Ransomware Overview
Phobos ransomware is known for appending the following information after the original extensions of files upon infection: “infected PC’s Volume Serial Number (VSN)”, “threat actor’s email address”, etc.
<Original file name>.<Original extension>.id[<VSN>-<4-digit fixed number>].[<Threat actor’s email address>].<Ransomware extension>
The ransom note generated after infection is created in the form of “info.txt” and “info.hta” files as shown below. One can find the threat actor’s email information in the ransom note for the purpose of paying the ransom.
Phobos ransomware’s ransom note generation process occurs after the encryption process has been completed for both local and network drives. The malware creates a ransom note in each directory where the encryption has been performed as well as the following paths:
- %USERPROFILE%Desktopinfo.hta
- %USERPROFILE%Desktopinfo.txt
- %public%Desktopinfo.hta
- %public%Desktopinfo.txt
- <drive_roots>info.hta
- <drive_roots>info.txt
2. Phobos Ransomware Main Features
Maintaining Persistence
When Phobos ransomware is executed, it maintains persistence by copying malware to the %LOCALAPPDATA% path and registering it in the following Run keys. This allows the ransomware to restart even after the reboot process.
- HKLMSoftwareMicrosoftWindowsCurrentVersionRun
- HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Encryption Targets and Exception Conditions
Phobos ransomware encrypts all files present on a system, excluding those set as exceptions with the following paths, extensions, and file names. In addition to Phobos variant extensions such as “phobos” and “eking”, non-Phobos extensions have also been confirmed to be exempted from encryption, such as “makop”. This is likely done for the purpose of excluding files already infected by other ransomware. Furthermore, the exception “file names”, “extensions”, and “path information” exist in an AES-encrypted form within the malware file. These are decrypted and used during the execution of the malware.
| Overview | Details |
| Directories excluded from encryption | %SystemRoot%, %ProgramData%microsoftwindowscaches |
| Extensions excluded from encryption | Faust (target ransomware sample extension), actin, dike, acton, actor, acuff, file, acuna, fullz, mmxxii, kmrox, 6y8dghklp, shtorm, nurri, ghost, ff6om6, blue, nx, backjohn, own, fs23, 2qz3, top, blackrock, chcrbo, g-stars, faust, unknown, steel, worry, win, duck, fopra, unique, acute, adage, make, adair, mlf, magic, adame, banhu, banjo, banks, banta, barak, caleb, cales, caley, calix, calle, calum, calvo, deuce, dever, devil, devoe, devon, devos, dewar, eight, eject, eking, elbie, elbow, elder, phobos, help, blend, bqux, com, mamba, karlos, ddos, phoenix, plut, karma, bbc, capital, wallet, lks, tech, s1g2n3a4l, murk, makop, ebaka, jook, logan, fiasko, gucci, decrypt, ooh, non, grt, lizard, flscrypt, sdk, 2023, vhdv |
| File names excluded from encryption | info.hta, info.txt, boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, wang, [malware name].exe |
Additionally, the ransomware has a feature to retrieve the locale information of the infected system. If it detects a certain language environment, it will not infect the system and terminate itself. This behavior is determined by the config settings.
Terminated Processes
Upon infection, Phobos ransomware forcibly terminates the documents, email clients, database programs, etc. in the table shown below. This is done in order to encrypt more files during the file encryption process by preventing the encryption process from being interrupted due to reasons such as file handles being occupied. The process strings targeted for termination exist in an AES-encrypted form within the malware file and are decrypted and used during the execution process.
| List of Terminated Processes |
| msftesql.exe sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe agntsvc.exe mydesktopqos.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe agntsvc.exe agntsvc.exe agntsvc.exe encsvc.exe firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe excel.exe infopath.exe msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe steam.exe thebat.exe thebat64.exe thunderbird.exe visio.exe winword.exe wordpad.exe |
Disabling Firewall and Deleting Volume Shadow Copies
Phobos ransomware decodes the AES-encrypted command strings and executes them as arguments of the “cmd.exe” process. This method is used to disable the firewall and delete volume shadow copies.
| Overview | Details |
| Disable the firewall | netsh advfirewall set currentprofile state off netsh firewall set opmode mode=disable |
| Prevent recovery | vssadmin delete shadows /all /quiet wmic shadowcopy delete bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no |
Encrypting Local and Network Shared Folders
Phobos ransomware provides the encryption feature for local and network resources via the AES-CBC mode.
During the encryption process for local drives, Phobos ransomware identifies currently available drives using the GetLogicalDrives() API. It selects the target drives for encryption by searching for a bitmask for the identified drives. Afterward, it encrypts the selected target drive.
Phobos ransomware is one of the main ransomware that support the encryption feature for network shared folders. In order to accomplish such a process, the ransomware lists existing or currently connected network shared resources by individually designating and making multiple calls to RESOURCE_CONNECTED, RESOURCE_RECENT, RESOURCE_CONTEXT, RESOURCE_REMEMBERED, and RESOURCE_GLOBALNET with the WNetOpenEnumW() API’s dwScope argument. Afterward, encryption is carried out by calling an encryption thread for each selected network resource.
3. Conclusion
Externally exposed RDP services with vulnerable securities are common attack vectors that are consistently utilized by numerous threat actors during the initial infiltration and lateral movement processes. Attacks on such RDP services typically involve brute force and dictionary attacks on systems where account credentials are poorly managed. Many ransomware threat actors, including those behind the Dharma and Phobos variants derived from Crysis, often use vulnerable RDP services as their primary initial attack vectors.
Users can deactivate RDP when not in use to decrease the number of attack attempts. If RDP is being used, it is advised to use a complex account password and to change it periodically to prevent brute force and dictionary attacks. Also, V3 should be updated to the latest version so that malware infection can be prevented.
File Detection
– Ransomware/Win.Phobos.R363595 (2023.08.24.00)
Behavior Detection
– Ransom/MDP.Decoy.M1171
– Ransom/MDP.Command.M2255
IOC
MD5
– d221b0a793cd10b00b0c1f943f6c1b63
– c6936c5cf4307a8bb793dbc7a9dcb9f1
– 5cfee29eae9f476e8b32491f4ef8ae2f
– 6cfa3d34a929cabcc54229b6e100a633
– bd7756138f48dc4ec8088e23ef6a4c80
– 0ef558c14d9894b6a011c9473c0f17c3
– 38bc0f4ac3bb83c5b7a041746b014910
– f2e4746363ba1c940fa315f737dd8a46
– 5b672f45d525b56eb0c4c146214f267e
– 9043580b1766661d8fde0d3e88026de1
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/58753/