The US CISA, the FBI, and MS-ISAC issued a joint advisory about the attacks involving Phobos ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust.
The attacks were observed in February 2024, which targeted government, education, emergency services, healthcare, and other critical infrastructure sectors.
The ransomware variants looked to intrusions due to observed similarities in TTPs. Phobos intrusions also involved the use of various open-source tools, including Smokeloader, Cobalt Strike, and Bloodhound.
The initial access to the vulnerable networks is gained by leveraging phishing campaigns. They dropped hidden payloads or used IP scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports or by leveraging RDP on Microsoft Windows environments.
Once after the discovery of exposed RDP service, the threat actors use open source brute force tools to gain access. If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.
The threat actors send spoofed email attachments that are embedded with hidden payloads such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. After SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system.
Phobos actors were observed executing files such as 1saas.exe or cmd.exe to install additional Phobos payloads with elevated privileges enabled. It has maintained persistence within compromised environments using Windows Startup folders and Run Registry Keys.
Threat actors used open-source tools such as Bloodhound, Sharphound, Mimikatz, NirSoft, and Remote Desktop Passview to enumerate the active directory and gather credentials. Phobos operators used WinSCP and Mega.io for data exfiltration to FTP servers or cloud storage.
Most of extortion takes place through email; nevertheless, certain affiliate groups have employed voice calls to reach out to victims. For communication purposes, Phobos actors employ diverse instant messaging applications such as ICQ, Jabber, and QQ.
Indicators of Compromise
- 9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c
- 482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52
- c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763
- 58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6
- f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed
- 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
- 32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3
- 2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
- fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6
- a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
