The attackers behind 8Base ransomware have updated their arsenal with a new variant of the Phobos ransomware and other publicly available tools to conduct financially motivated attacks. The new finding comes from Cisco Talos researchers after a spike in 8Base ransomware activity was observed between May and June.
A glance at the distribution process
According to researchers, the group is using the SmokeLoader trojan to distribute the Phobos variant.
- SmokeLoader malware employs a three-stage payload decryption process. In the initial stage, numerous random API calls are utilized to obscure the execution flow.
- The subsequent two stages involve shellcode stored in allocated memory. The ultimate binary is exposed during the third stage, where a binary copy of the Windows Portable Executable (PE) data within that memory block yields the final payload in its original form.
Diving into details
- Researchers note that the versions of Phobos released after 2019 use a combination of the AEC-256 algorithm and different random symmetric keys to encrypt files on victims’ systems.
- However, the variant used by the 8Base group includes features that can enable the attackers to establish persistence on victims’ systems, perform speedy encryption, and remove backup and shadow copies.
- Furthermore, it includes advanced features, such as .NET profiler DLL loading vulnerability, API calls, and Cyrillic language, to avoid detection by security products.
Conclusion
Cisco Talos assesses that Phobos is closely managed by a central authority that controls the ransomware’s private encryption key while being sold as a Ransomware-as-a-Service (RaaS) to other affiliates. As threat actors continue to expand Phobos variants, organizations are recommended to keep track of the threats by following the latest IOCs associated with the ransomware.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/fc19_Cy_Blog_Lazarus-APT_v06.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5171_shutterstock_617680667.jpg)
