Pierluigi Paganini March 02, 2024

US CISA, the FBI, and MS-ISAC issued a joint CSA to warn of attacks involving Phobos ransomware variants observed as recently as February 2024

US CISA, the FBI, and MS-ISAC issued a joint cyber security advisory (CSA) to warn of attacks involving Phobos ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust.

The attacks were observed as recently as February 2024, they targeted government, education, emergency services, healthcare, and other critical infrastructure sectors.

Phobos operation uses a ransomware-as-a-service (RaaS) model, it has been active since May 2019.

Based on information from open sources, government experts linked multiple Phobos ransomware variants to Phobos intrusions due to observed similarities in Tactics, Techniques, and Procedures (TTPs). Phobos intrusions also involved the use of various open-source tools, including Smokeloader, Cobalt Strike, and Bloodhound. These tools are widely available and user-friendly across different operating environments, contributing to the popularity of Phobos and its associated variants among various threat actors.

Threat actors behind Phobos attacks were observed gaining initial access to vulnerable networks by leveraging phishing campaigns. They dropped hidden payloads or used internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports or by leveraging RDP on Microsoft Windows environments.

“Once they discover an exposed RDP service, the actors use open source brute force tools to gain access. If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.” reads the joint CSA. “Alternatively, threat actors send spoofed email attachments that are embedded with hidden payloads such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. After SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system.“

Phobos actors were observed executing files such as 1saas.exe or cmd.exe to install additional Phobos payloads with elevated privileges enabled.

Threat actors behind Phobos ransomware attacks were also observed bypassing organizational network defense protocols by modifying system firewall configurations and evading detection by using Universal Virus Sniffer, Process Hacker, and PowerTool tools.

Phobos maintained persistence within compromised environments using Windows Startup folders and Run Registry Keys.

Threat actors used open-source tools such as Bloodhound, Sharphound, Mimikatz, NirSoft, and Remote Desktop Passview to enumerate the active directory and gather credentials. Phobos operators used WinSCP and Mega.io for data exfiltration to FTP servers or cloud storage.

Phobos is also able to identify and delete data backups.

Most of extortion takes place through email; nevertheless, certain affiliate groups have employed voice calls to reach out to victims. For communication purposes, Phobos actors employ diverse instant messaging applications such as ICQ, Jabber, and QQ.

The joint advisory contains indicators of compromise (IoCs) and mitigations for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Phobos ransomware)