Phobos ransomware, first discovered in December 2018, is another notorious cyber threat that targets businesses.
Phobos is popular among threat actors of various technical abilities because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic; hence the name Phobos was likely inspired by him.
Phobos is a ransomware infection that spreads through hijacked Remote Desktop (RDP) connections. This isn’t surprising, given that hacked RDP servers are a cheap commodity on the underground market and can be an appealing and cost-effective distribution route for threat actors.
Additionally, Phobos is not packed or obfuscated, unlike the majority of malware that is secured by a crypter. Although the absence of packing is not frequent in the general population of malware, it is widespread among malware that is manually distributed by attackers.
Observed Targets Industries
Unlike other gangs that look for medium/enterprise targets, the Phobos team usually go after smaller firms that don’t have the financial wherewithal to pay massive ransoms. Phobos is standard ransomware that offers little in the way of innovation. This gang does not use the double extortion approach. There have been no reports of any underground leak sites linked to it revealing confidential information about its targets. This threat is most likely inserted to influence the victim, capitalizing on worries sparked by other high-profile ransomware attacks.
Yarix Response Team first Engagement
The analysis of the binary “ph_decrypt.exe” obtained by YIR (Yarix Incident Response Team) will be divided into various sections distinguishing between static and dynamic.
Static Analysis – ph_decrypt.exe
Static Analysis – PE Sections
The binary has several sections such as “CODE”, “DATA”, “BSS”, “.idata”, “.tls”, “.rdata”, “.reloc” and “.rsrc”; in particular, it is noteworthy that inside “.rsrc” there are two particularly suspicious files given their Magic Signature which leads to an executable file and a Delphi Form.
Proceeding to a more in-depth analysis, it is noted that by exporting the binary resources, several secondary encrypted payloads emerge in addition to the two executables specified above
From the static analysis it is difficult to understand the true nature of textual resources such as “EX”, “KD”, “TK”, “VR” and “WO” as they appear to be strings encrypted by a matryoshka of different techniques that once decrypted lead to the evidence of payloads encoded with unknown methodologies.
The textual resources are then used by some internal routines for comparative checks during a strange file substitution routine analyzed in the dynamic analysis section.
As for the other resources, their use is as follows:
- CX Executable created by the malware during its execution and renamed to “.cache_% FILENAME%”, in addition the binary is hidden and flagged as a system file
- TMAINFORM –> Form of the decryptor written in Delphi and used as a “GUI” for entering the “decrypt keys” provided by the Threat Actor and selecting the UNC paths containing the files to be decrypted
From the header file some useful information related to the nature of the file can be found, such as:
- Payload has been compiled for 32bit architectures
- The compiler date is pointing at 19th June 1992
- Symbols have been stripped from file
From the “Explicit Import Table” the following DLLs imported from the binary during the loading phase are detected: kernel32.dll, user32.dll, advapi32.dll, oleaut32.dll, version.dll, gdi32.dll, ole32.dll, comctl32.dll, shell32.dll, wininet.dll, wsock32.dll, netapi32.dll.
The type of imported DLLs suggests that the binary is not limited to the decryption of files as there are “wsock.dll” and “netapi.dll” for managing sockets, “shell32.dll” for sending commands via shells like “cmd.exe” and many other functions not normally present in ransomware decryptor software.
From the “Function Table” you can see the following functions coming from the DLLs shown in the “import-table” section of this report:
GetCurrentThreadId, SetCurrentDirectoryA, FindFirstFileA, WriteFile, RaiseException, GetKeyboardType, ShellExecuteExA, SHGetFileInfoA, SHFileOperationA, InternetGetConnectedState, WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, setsockopt, send, recv, ntohl, ioctlsocket, inet_addr, htons, htonl, connect, closesocket, Netbios, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindClose, ExitProcess, ExitThread, CreateThread, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle, LoadStringA, MessageBoxA, CharNextA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey, SysFreeString, SysReAllocStringLen, SysAllocStringLen, VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA, UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt, CreateBindCtx, MkParseDisplayName, CLSIDFromProgID, CLSIDFromString, CoCreateInstance, CoUninitialize, CoInitialize, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
** Malware can load DLLs dynamically (as it does), so many more functions will be available to the payload at runtime
The strings found in the payload provide some information about the resources it will use during its execution or additional information regarding its nature such as:
- Use of strings recognized and contained in the well-known Sysinternals software “RDCMan.exe”, there are also some resources equal to those of the previously specified software loaded in the payload for obfuscation purposes
- Insertion of strings useful for establishing remote connections
- Presence of “.xml” files used to establish persistence through “schtasks.exe”
- Presence of strings often used by Keyloggers
Dynamic Analysis – ph_decrypt.exe
Executing the Decryptor leads immediately to several payloads drop detected in different folders than the one in which the software is currently located.
Nevertheless, the dynamic analysis alone does not lead to understanding the true potential of the malware itself, as there are several pre-execution checks in order to hide some features that will be presented in the “Advanced Dynamic Analysis” explained in the next article.
Below is a list of commands executed by the payload to maintain persistence:
- exe /C schtasks /QUERY /TN “Google Chrome Helper Update”
- schtasks /CREATE /XML “C:\Users\Gigi\AppData\Local\Temp\r4j.xml” /TN “Google Chrome Helper Update”
The execution of the “main binary” triggers after a few seconds a routine that does an environment verification to check the country and language used by the user
in addition to the creation and execution of the following files:
- “.\.cache_ph_decrypt.exe” –> The real decryptor software
- “C:\Program Files (x86)\Google Chrome Helper\chromehelper.exe” –> Secondary payload
- After about a minute of running “.\chromehelper.exe” proceeds with the creation of “.\update.dll” and the folders “.\Log” and “.\Mlog”
At this point the decryptor GUI is invoked and the user can proceed with entering the decryption key and selecting the UNC path to restore.
The research team then analyzed the activity performed by the “chromehelper.exe” payload which is nothing more than a version without the “CX” resource found in “ph_decrypt.exe”, [737KB – 60KB = 677KB]
“Chromehelper.exe” as soon as it starts creates a file called “r4j.xml” that will be used almost instantly to set a persistence into the infected machine
After 30 seconds of starting the PID related to “chromehelper.exe”, two invokes of shell32.dll are detected for the use of cmd.exe in order to establish persistence using windows tasks (schtasks.exe)
The payload then checks if a task is already present with the command “cmd.exe / C schtasks / QUERY / TN” Google Chrome Helper Update” and then creates the task if this was not detected by the second command “cmd.exe / C schtasks / CREATE / XML” C: \ Users \ Gigi \ AppData \ Local \ Temp \ r4j.xml” / TN “Google Chrome Helper Update” which this time will use the previously created xml file for the job parameters.
At this point, the scanning phase of the environment begins in search of unspecified information as the activity seems to be aimed at verifying the properties of each file contained in the system
The main event of this phase occurs when a 32-bit executable is enumerated as an internal method is executed that proceeds to replace the original executables by applying a patch that forces the execution of “.cache_% FILENAME% .exe” where the variable “%FILENAME%” takes the value of the original file name
Once the files have been replaced, they appear in different ways as for some the icon is also changed to the same one used by the payload and others continue to keep their own as seen in the following snippet
This patch changes the size of the file and consequently also its hash
In the image snippet above you can see how the “Autologon.exe” file got patched even changing the application icon, from the default empty one to the “ComputerScreen”.
This modification consists in the addition of the resources already seen previously in the first payload (CX, EX, KD, TK, TMAINFORM, VR, WO) in addition to the modification of the method with which the executable acts, in order to execute the inserted resources previously
The execution of one of the modified binary arises similarly to the first start of “ph_decrypt.exe” a copy of the process executed in the same folder with “system file” and “hidden” properties and the execution of this file injected with “update.dll”.
In the next image you can see a normal execution of a maliciously patched “autologon.exe (Sysinternals)”
The true purpose of this complex infection is not yet clear, in fact, even after several hours of activity, there are no links to external C&C and/or other relevant activities. Surely this type of persistence and the worm functionality transform the device and potentially all other hosts on the network into ready-to-use bots.
The ph_decrypt.exe file is an executable (PE) with the following hashes:
The chromehelper.exe file is an executable (PE) with the following hashes:
The cx.exe file is an executable (PE) with the following hashes:
Prevention & Hunting
Yarix Labs is constantly working to trace APT Groups movements by profiling techniques and attack patterns in order to provide one of the bests Security Services to his customers ranging from Incident Response, Cyber Threat Intelligence, Red Teaming to Security Operation Center Monitoring.
In the next article YIR Labds will deepen the aspects related to the code hanging from the replaced good files investigating through Advanced Dynamic and Static Analysis all the most gory aspects of this sophisticated malware, of which the main purpose is still obscure.
Indicators of compromise
What follows are all the IoCs identified during all malwares analysis done to draft the current article
Nicolas Fasolo is a member of the Yarix Incident Response Team. In the free time he works as an independent “Security Researcher” and “Security Developer” with an unbridled passion for malware analysis. During his CEH Master certification training path he achieved Top 1 in the world for the “Quarter 4 December 2021”. “Cybersecurity Podcast” Author.