CISA Warns Phobos Ransomware Groups Attacking Critical Infrastructure – Source: securityboulevard.com

Phobos, a complex ransomware-as-a-service (RaaS) operation that has been around for five years and is includes multiple variants, continues to target a range of critical infrastructure in the United States, including education, healthcare, and emergency services, according to federal agencies.

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued a warning with a list of indicators of compromise (IoC) about Phobos, saying variants of the ransomware have been seen in action as late as last month. The agencies said that over the years, entities tied to Phobos have collected millions of dollars in ransoms.

“Phobos ransomware is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs [tactics, techniques, and procedures observed in Phobos intrusions,” the FBI and CISA wrote. “Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound.”

Those tools are “all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors,” they wrote.

Some affiliates using Phobos ransomware variants not only will demand a ransom after encrypting files on the systems, but also will steal data and threaten to make it public to put more pressure on victims to pay the ransom.

Protecting the country’s critical infrastructure is a significant part of the U.S. government’s larger cybersecurity initiatives, with CISA pointing to cyberattacks last year on water systems by Cyber Av3ngers, a threat group linked to Iran.

CISA’s #StopRansomware Push

The alert was issued as part of CISA’s larger #StopRansomware initiative, which lays out the activities and tactics used by various ransomware gangs. The Multi-State Information Sharing and Analysis Center (MS-ISAC), an organization funded by CISA and housed by the nonprofit Center for Internet Security to act as a collaboration point for cybersecurity organizations and the federal government and a clearinghouse for security information.

Phobos was first detected in 2019 and there now are a range of variants being used by multiple ransomware groups. Cisco’s Talos threat intelligence unit in November 2023 outlined the operation of a group called 8Base that uses a variant of Phobos and publicly available tools – in this case, Smokeloader – that serves as a backdoor trojan to deploy payloads onto compromised systems.

Notably, the researchers reiterated that despite the numerous variants of the ransomware in use, there is a fairly centralized nature to the operation. The variant used by 8Base contained an embedded configuration, but outside of that, “our analysis did not uncover any other significant differences between 8Base’s Phobos variant and other Phobos samples that have been observed in the wild since 2019,” they wrote. “Notably, in all samples of Phobos released since 2019 that we analyzed, the same RSA key protected the encryption key.”

More recently, researchers with Fortinet’s FortiGuard Labs threat research group reported on the emergence of Faust, the latest variant of Phobos that they found after uncovering “an Office document containing a VMA script aimed at propagating the FAUST ransomware.”

The Faust variant’s activities include downloading the payload file from a Microsoft Excel document embedded with VBA script. It’s a fileless attack designed to deploy shellcode. In addition, Faust can establish persistence in a compromised IT environment and creates multiple threads to run more efficiently, according to FortiGuard Labs.

It Starts With a Phishing Email

According to the FBI and CISA, affiliates typically running Phobos campaigns gain initial access through phishing campaigns to drop Smokeloader or other tools. They also can use IP scanning tools, like Angry IP Scanner, to look for Remote Desktop Protocol (RDP) ports or RDP on Microsoft Windows systems.

“Once they discover an exposed RDP service, the actors use open source brute force tools to gain access,” they wrote. “If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.”

The hackers also may send spoofed email attachments embedded with Smokeloader or other payloads.

The affiliates also use a range of techniques to evade detection, including having Smokeloader running a program-erase cycle from stored memory before downloading more malware. They also may modify system firewall configurations or by using tools like Universal Virus Sniffer, Process Hacker, and PowerTool.

Ensuring Persistence

There also are ways beyond evasion techniques to ensure persistence in compromised systems, including using various commands, using Windows Startup folders and Run Registry Keys, leveraging Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges via the SeDebugPrivilege process.

“Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access,” they wrote.

The affiliates not only encrypt the data but also exfiltrate it, exporting files taken from victims to cloud storage providers. The agencies wrote that the bad actors “target legal documentation, financial records, technical documents (including network architecture), and databases for commonly used password management software.”

Afterwards, they search the systems for backups to prevent victims from recovering files after they’ve been encrypted. The search for more files to encrypt continues even after the ransom note it put into infected systems, while the extortion effort continues via emails and voice calls to victims, the agencies said.

“In some cases, Phobos actors have used onion sites to list victims and host stolen victim data,” the agencies wrote. “Phobos actors use various instant messaging applications such as ICQ, Jabber, and QQ to communicate.”