Phobos Ransomware Impersonating Vx-Underground
Last updated
Last updated
Phobos ransomware has developed a new variant that impersonates Vx-Underground, a respected group in malware research, to possibly harm reputations or cause disruption beyond financial gain. This blog explores the attack strategies, technical aspects, and wider ramifications of these deceptive tactics.
Phobos, first seen in late 2018, has been actively targeting small to medium-sized organisations. Its lineage traces back to the Dharma variant and the older CrySis ransomware family. The ransomware has been particularly noted for its dual use of AES-256 and RSA-1024 encryption algorithms, rendering its encrypted files extremely difficult to decrypt without the unique RSA private key.
Initial access methods are varied but Phobos has also been known for exploiting software vulnerabilities or launching phishing campaigns to spread their malicious payloads and accessing hosts through other external services like brute forcing RDP.
Despite its significant operational impact, with Phobos accounting for a notable 4% of all submissions to the ID Ransomware service in 2023, it hasn’t achieved the notoriety of other RaaS operations like Lockbit or REvil. This discrepancy points to the evolving and increasingly accessible nature of RaaS platforms, allowing less technically skilled attackers to launch ransomware campaigns.
To understand the ransomware’s behavior in a real-world setting, we conducted analyses using a cloud-based sandbox, Recorded Future. This approach allowed us to mimic a Security Operations Center (SOC) analyst’s environment, facilitating fast-paced, dynamic and static analysis of the malware.
Malware Family: Phobos
Target File Name: 763b04ef2d0954c7ecf394249665bcd71eeafebc3a66a27b010f558fd59dbdeb.zip
File Size: 48KB
MD5: 5f3689f795c7111c259d76bd19c509d3
SHA-1: f40c93f931979959e9ca4236d3b3c3e6b4342982
SHA-256: 35c01c9613c4f96a634ecebac702bdef8e1e194b96c3fc2d0b1bd997c2d8c98c
SSDEEP: 1536:BNvqk8FQgnN2VSPzZ7QtQls0GjoBbFZrt6Jy:B1b8FQgN1PzZ7QtQls0GsBbzrtn
The following screenshots were captured from the Windows 7 host, displaying the multiple instances of ‘vx-underground’ .hta (HTML application) files. The process mshta.exe was used to display ransom notes in various locations, falsely indicating Vx-Underground’s involvement.
Noteably, we can see three highlighted strings; the official support email for Vx-Underground, their twitter username along with a unique victim ID. Also identified is the common ransomware tactic, offering to decrypt 5 files for free to prove to the victim that the attackers can decrypt the files and in attempt to establish ‘trust’ and therefore increase the chance of payment.
Ironically, the Buy Black Mass Volume I.txt ransomware note, also the name of their research and malware book, states that the decryption password is not ‘infected’, the password used across their entire malware repository.
In our analysis of the Phobos ransomware variant, several key findings emerged:
Execution from Temp Directory: The ransomware initiated its attack from the AppData\Local\Temp directory, a common launching point for malware due to its lower security scrutiny, but also is the staging area for the Recorded Future sandbox.
System Security Disabling: Phobos used netsh.exe commands to disable Windows Firewall, creating a more vulnerable environment for further malicious activities.
Backup and Recovery Disruption: The ransomware strategically employed vssadmin.exe and WMIC.exe to delete Volume Shadow Copies, hindering recovery efforts by eliminating system restore points and backups.
No Direct Communication with C2 Servers: Interestingly, the variant showed no network traffic, indicating it could operate independently without direct command and control (C2) communication. This characteristic makes it potentially more robust in isolated environments.
Registry and Boot Configuration Modifications: Using bcdedit.exe, Phobos altered the boot configuration to prevent automatic recovery features, further complicating the victim’s ability to restore their system.
Unique File Encryption: The encryption process appended a .VXUG file extension along with the victim ID.
In the Phobos ransomware analysis, two Windows API calls typically used for legitimate purposes were identified as being exploited for malicious activities:
AdjustPrivilegeToken: Manages permissions in a process token but repurposed to escalate the ransomware’s process privileges, enabling it to execute actions that require higher access levels.
SetWindowsHookEx: Installs a hook procedure to monitor system events like keystrokes or mouse inputs. Hijacked to spy on user inputs, potentially for keylogging or input capture, indicating spyware capabilities.
In mapping the Phobos ransomware variant to the MITRE ATT&CK framework, the analysis revealed several key TTPs (Tactics, Techniques, and Procedures) utilized by the malware:
Execution: Relies on user execution, often through a phishing attachment (T12/04.002).
Persistence: Achieved by creating or modifying system-level processes and registry keys to ensure the malware executes on system startup or at scheduled intervals. Netsh is used to disable firewall services (T1543.003, T1547.001).
Privilege Escalation: Involves modifying system processes or registry keys to run with elevated privileges (T1543.003, T1547.001).
Defense Evasion: The malware deletes shadow copies and modifies registry and kernel settings to avoid detection, and clears audit logs to cover its tracks (T1070.004, T1112).
Credential Access: Targets stored browser data and searches for insecurely stored credentials (T1555.001, T1005).
Discovery: Collects information about the host, such as the operating system and hardware details, to scope out future attacks (T1082).
Collection: Similar to credential access, it reads profile data from web browsers and searches local and remote file systems (T1005).
Impact: Encrypted files on local and remote drives, denying access to backups and recovery options, primarily using volume shadow service deletion and modifying boot configuration data (T1486, T1490).
Below are the IoCs obtained from the analysis, categorised by type and modified to prevent direct exploitation. These files are likely used for various purposes such as executing commands, encrypting data, or enforcing persistence mechanisms.
C:\Users\Admin\AppData\Local\Temp\763b04ef2d0954c7ecf394249665bcd71eeafebc3a66a27b010f558fd59dbdeb.exe
PID: 1276, 2128
C:\Windows\system32\cmd.exe
PID: 628, 2376, 1640
C:\Windows\system32\vssadmin.exe
Command: vssadmin delete shadows /all /quiet
PID: 2660, 1488
C:\Windows\System32\Wbem\WMIC.exe
Command: wmic shadowcopy delete PID: 2328, 1616
C:\Windows\system32\bcdedit.exe
Commands: bcdedit /set {default} bootstatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled no
PID: 2592, 472, 2180, 328
C:\Windows\system32\netsh.exe
Commands: netsh advfirewall set currentprofile state off, netsh firewall set opmode mode=disable
PID: 2720, 2964
C:\Windows\SysWOW64\mshta.exe
Commands: mshta.exe execution with various HTA files
PID: 2972, 692, 3004, 2968
C:\Windows\system32\vssvc.exe
PID: 2688, 3036
C:\Windows\explorer.exe
PID: 1572
C:\Buy Black Mass Volume II.hta
HTML formatted ransom note with instructions and contact information.
staff@vx-underground[.]org
http[:]//www[.]w3[.]org/TR/html4/strict.dtd
https[:]//bazaar[.]abuse[.]ch/browse/
https[:]//malshare[.]com/
The IoCs provided in this report should be integrated into security information and event management (SIEM) systems, threat intelligence platforms, and used to enhance intrusion detection systems (IDS) and intrusion prevention systems (IPS).
