Research Saturday 1.6.24
Ep 311 | 1.6.24

Diving deep into Phobos ransomware.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Guilherme Venere: The reason I started this research is that back in March of this year we started seeing a lot of activity from this new group at the time called "8Base."

Dave Bittner: That's Guilherme Venere, a Threat Researcher with Cisco Talos. Today we're discussing a deep dive into Phobos ransomware recently deployed by 8Base group. [ Music ]

Guilherme Venere: It was a group that hasn't been seen before in terms of ransomware, and when I started analyzing the incidents and looked at the malware that was being used in the 8Base attacks, I noticed that it has a lot of similarities to Phobos, and then I started diving into the campaign and the similarities that 8Base and Phobos had to understand how much it was similar to previous Phobos campaigns, right? Phobos is operating old malware. It's used by a lot of different actors, so I wanted to understand what 8Base was doing differently from these other campaigns.

Dave Bittner: Well, let's dig into Phobos itself, I suppose as an introduction, maybe a little brief explainer here. How does Phobos work and what are its capabilities?

Guilherme Venere: Yes, Phobos is, like I said, it's a pretty old piece of malware and it was first developed between 2018, 2019 based on a leak of another ransomware called "Dharma CrySiS." At the time, the code for Dharma CrySiS was leaked in some forums. Someone took this code and developed a new malware that they called "Phobos." Since then, and this is part of our research, there was no new developments in Phobos in terms of code. There was no new improvements in the code itself. So when we saw the events caused by 8Base, I wanted to understand why they were so successful and so active using a piece of malware that in theory should have been detected by everybody, and that's a part of the first research where we try to understand how 8Base was using Phobos in their campaigns.

Dave Bittner: Well, let's dig into that specifically. What did you find there?

Guilherme Venere: The first thing that I noticed is that the samples that 8Base was using, that the malware that 8Base was using to infect the machines and encrypt the machines was actually bigger in terms of size than a common Phobos binary. When I looked at the samples, I noticed that they were very obfuscated, which means that the code in the file itself was very different from the original Phobos code, and I noticed that they were using a piece of software called a "loader," which is another malware that is used to load different payloads, right, into the user's machine. This malware is called "Smoke Loader" and it's heavily obfuscated. The code is very difficult and very -- imitates a lot, so it's very difficult to analyze. 8Base was using this loader to drop the 8Base, I'm sorry, Phobos, on the machine of the infected victims.

Dave Bittner: Is it fair to call what 8Base is using "Phobos"? I mean, is it close enough to the original that it's still the same thing?

Guilherme Venere: Yes, once we peeled this layer of obfuscation added by Smoke Loader, the final RSO binary inside the loader is exactly the same as any other Phobos campaign that we observed in the past five years, basically. So the first blog that we published, the deep dive into Phobos ransomware, actually has an analysis of the code of 8Base samples compared to previous variants of Phobos formed in the last five years. So I compared with samples from 2019, 2020, 2022, and noticed that the code didn't change at all in all of these cases. Only the original samples from 2019 were a little different, but after that, they were exactly the same code. The only difference in terms of content was the configuration file that we found inside the samples, the configuration data that we found inside the samples. This configuration data is what changes between one sample and the other. So for each campaign, each threat actor that we observed using Phobos, this configuration is the only change that exists in these files.

Dave Bittner: Hm. Well, let's dig into Phobos' capabilities here. What can it do?

Guilherme Venere: Phobos is a common ransomware capable of encrypting files on a user's machine, so in order to do that, it has two methods of encryption. One is for files of small size less than 1.3 megabytes where it encrypts the entire file. The encryption happens by creating a random encryption key called a "AES key" for each file that is encrypted. This random AES key is then added to the end of the file and along with some metadata about the file, for example, the name of the -- original name of the file, original size, things like that, and this data at the end of the file is encrypted with an RSA key. That RSA key is what is used to decrypt the file later if the user pay the ransom, right? So that's the first method. The second method is in case the file is big. In order to make the encryption faster, Phobos don't encrypt the entire file and decrypts parts of the file. So random blocks inside the file will be encrypted, and again, the metadata and the key used to encrypt that file will be saved at the end of the file with -- encrypted with RSA key. One thing that we noticing now, Phobos variants that we analyze, is that this RSA key that is used there is the same for all the samples, which means that there is only one single private key that is able to decrypt all these infections, all this encrypted files. Besides this ransomware encryption feature, Phobos is capable of encrypting files on remote shares. It also contain code to elevate its privileges in case the sample is running, the file is running as a restricted user, and it has other common features like adding itself to our run key, add itself to the startup menu, so it can restart the infection once the user reboots the machine. [ Music ]

Dave Bittner: What can you tell us in terms of command and control?

Guilherme Venere: Yeah, Phobos don't have a typical command and control structure. It doesn't, in theory, it doesn't report the infection to a central authority, although one piece of code that we found in our analysis was called to do exactly that, but we never found a sample that actually use this feature. So the code itself has the feature to report to a central authority, but there is no sample where this feature is enabled, right? So the method by how the user contact the ransom actors, ransomware actors is by contacting them through an email or telegram channel.

Dave Bittner: Hm.

Guilherme Venere: Right? So this is -- this is something that is common in ransomware. Although there are some ransomwares that use a command/control feature, Phobos itself don't have this ability. It doesn't receive commands from a central server. It doesn't record the infections back. It just encrypt the files and let the user contact the actors.

Dave Bittner: This group, 8Base, how do you rank their sophistication here? I mean, it sounds to me like they're reusing Phobos, but in addition, there is this layer of obfuscation that they put over top of it. What's your insight there?

Guilherme Venere: Yeah, one thing that stand out in our research is that the attacks themselves are not very complex. They use Phobos which is a very common piece of software. It's local loader. It's also a very common obfuscator that is used by many more malware families. The method of infecting victims at work correlating to other research into 8Base is basically buying credentials from data leaks and using the usernames and passwords that they find to connect to the remote machines using RDP. So they basically connect to remote RDP servers and enter the victim's network by these compromised accounts. Once inside the network, they attempt to access important servers inside this network. So we noticed that 8Base likes to target ESXi servers, so servers that are running a lot of VMs, and they encrypt the server itself. So that would have a bigger impact on the victim than just encrypting like desktops or user machines. In terms of complexity, their attacks are not very complex, but they are very effective because they use things that people usually don't take care of, for example, reusing credentials or credentials that have been leaked, are not reset and things like that, so they are very effective in using this common methods of infecting a victim to get access to their network.

Dave Bittner: You also dig into the Phobos affiliate structure and the activity that you've been keeping an eye on there. What can you share with us about that?

Guilherme Venere: Yeah, one of the takes from the analysis that we did on the configuration of Phobos is that inside the configuration there is a lot of information about the groups that use Phobos. So the configuration have items like the extension that is used, which includes an email that is used to contact the threat actors, includes the extension that is used to encrypt the file, which is usually the name of the group that is behind it, and it contains a specific item that is a list of extensions that should be avoided by the ransomware. So when the RSO finds a file with that extension that lists, it won't encrypt that file, and that list containing a list of extensions related to other groups using Phobos, so for example, the 8Base samples have a list of about 20 or 30 extensions from other groups that used Phobos before, that sample should not encrypt, and that's what gave us a good overview of how many groups are using Phobos. By analyzing around 1,000 samples that we found in public resources, we were able to extract around 110 different groups or threat actors that are using Phobos, right, based on the extensions that are used by these threat actors, and looking at the mails that are used to contact the threat actors, we found that some of these groups have more than 100 people behind them. For example, Faust is one of the most common variants of Phobos. It encrypts the file with the extension "Faust," and the Emails that are used to contact the actors, we found more than 100 emails over time that were used to contact the threat actors. So we started to notice that Phobos is not a common -- it's not a common ransomware in terms of how they are distributed. It's not a single group that is behind it. It seems to be a malware that is sold to other groups that configured the malware to its liking, for example, with the extensions that they want, and then these groups hire other actors to distribute the samples, so you have two layers of services that are sold to distribute for both in the underground, right? So that's one thing that we found by analyzing all this, the samples and the configurations inside the samples. It's a lot of people behind this. There's campaigns, a lot of different campaigns in the last five years that really makes it difficult to track Phobos with a specific group or a specific developer or who created or who manage this malware.

Dave Bittner: Yeah. So what are your recommendations, then, based on the information that you've gathered here? How should people best protect themselves against this?

Guilherme Venere: The recommendations here are very common in terms of who -- what you need to do to keep your network secure, right? Like I mentioned before, 8Base doesn't use anything very complex to infect their victims, and that was a common behavior among the different campaigns that we observed. We recommend that users -- that companies that have remote access enabled, that they put better controls in who can access these resources or what they can do once they access the resources. We recommend that credentials that have been leaked or that are known to be leaked be reset and be monitored for access from unknown sources, for example, so this will prevent RDP access like 8Base used to access its victims, security tools that are useful to detect uncommon behavior, for example, a file that is encrypting a lot of samples, a lot of files in a user's machine. It has a sequence of events that it creates that most of the security tools in use can detect, but if the security tools are not configured properly, they will not detect, right? In general, just keep an eye on the security tools and take any event that is generated by them seriously and analyze these events and see if there is nothing else behind a single event. For example, if your security tool detects that backups were disabled on a machine, that's a common behavior from ransomware that disable the backups in the machine before encrypting the file. So if you see a machine that has backups disabled, you need to act immediately before the encryption starts. [ Music ]

Dave Bittner: Our thanks to Guilherme Venere from Cisco Talos for joining us. The research is titled "A deep dive into Phobos ransomware, recently deployed by 8Base group." We'll have a link in the show notes. [ Music ] The CyberWire Research Saturday podcast is a production of N2K Networks. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin, with mixing by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. [ Music ]