Advanced Phobia
Ransomware Gang Details
Phobos ransomware, first discovered in December 2018, is another notorious cyber threat actor which targets businesses.
Phobos is popular among threat actors because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic: the gang’s name was likely inspired by him.
Phobos is a ransomware infection that spreads through hijacked Remote Desktop (RDP) connections. This isn’t surprising, given that hacked RDP servers are a cheap commodity on the underground market and can be an appealing and cost-effective distribution route for threat actors.
Additionally, Phobos is not packed or obfuscated, unlike the majority of malware which is secured by a crypter. Although the absence of packing is not frequent in the general population of malware, it is widespread among malware that is manually distributed by attackers.
Observed Targets Industries
Unlike other gangs that look for medium/enterprise targets, Phobos team usually go after smaller firms that don’t have the financial wherewithal to pay massive ransoms. Phobos is standard ransomware that offers little in innovation. They do not use the double extortion approach, indeed there have been no reports of any underground leak sites revealing confidential information about their targets. This threat is most likely inserted to influence the victim, capitalizing on worries sparked by other high-profile ransomware attacks.
INTRODUCTION
Yarix Response Team First Engagement
Yarix’s Research Labs (YLABS) in a previous blog post called “Phobia” has analyzed a specific binary related to Phobos ransomware to check if it does only decrypt the data encrypted by it; as expected the payload turned out to be a funny one, full of insidious functionalities that can be seen only through advanced techniques.
In this article the task is to pick up where it has been left off in the previous post, uncovering what still remains obscure.
Now let’s dive into it!
Malware Analysis
The analysis of the malware found by the YIR team (Yarix Incident Response Team) has been divided in two articles, you can find the first part that comprehend “Static” and “Dynamic” analysis by clicking HERE.
If you already read the first article and want to dive into the “nerdy stuff”, keep reading.
Advanced Dynamic Analysis (Functions Walkthrough)
Anti-Debugging Function
After the execution started and some code has already been executed the payload starts to look for injected code or debuggers through a dedicated function that has been highlighted with the “DEBUGGER AWARE FUNCTION” comment as you can see in the screenshot below
To avoid that check the binary has been patched with a “jmp” instruction to the next code section.
Keyboard Language Detection Routine
As we know, every advanced malware always does some checks on the infected target’s environment. Also in this case some nice Keyboard Language Checks could not be missing in order to determine the origin of the infected host; following screenshots show some of the methods that have been found during debugging activities
GetKeyboardType call as the name says, gets some informations about the keyboard layout and settings
Some checks in the registry were made in the current user hive to retrieve additional informations about utilized Keyboard
Additionally, the following strings has been found inside the binary
ANSI_CHARSET, DEFAULT_CHARSET, SYMBOL_CHARSET, MAC_CHARSET, SHIFTJIS_CHARSET, HANGEUL_CHARSET, JOHAB_CHARSET, GB2312_CHARSET, CHINESEBIG5_CHARSET, GREEK_CHARSET, TURKISH_CHARSET, HEBREW_CHARSET, ARABIC_CHARSET, BALTIC_CHARSET, RUSSIAN_CHARSET, THAI_CHARSET, EASTEUROPE_CHARSET, OEM_CHARSET, DEFAULT_CHARSET
Anyway, those charsets strings have never been compared during the observed malware execution. However many advanced malware samples utilize “noise” code and functions just to misdirect payload’s debugging; so the analysts gets to follow rabbit holes that make analysis longer in terms of time and harder to comprehend.
File Patching Routine
During debugging and reverse engineering operations many hidden functions have been highlighted by the defenses implemented to protect them like infinite loop functions and methods that throw an exception if certain conditions are not met during execution. One of these “Hidden Routines” is the “File Patching Routine” that basically takes a x86 Binary and appends two payloads inside it, effectively creating a matryoshka where the malware from that moment on will puppet the execution of the real infected file.
Let’s see how it works step by step!
The biggest portion of the malicious code resides on top of the file meanwhile the second one closes the original binary with some uncommon B64 artifacts
Looking at the process with a common “Process Monitor” like sysinternal’s one we can see how it takes the current binary that has to be patched, moves it into temp, applies the patches and then it proceed by copying it in the original location
The function that does this dirty work is located deep inside the malware routines and it is referenced with a “7-zip” string.
Advanced Dynamic Analysis – Decompression RoutineOnce the method has gone through all the instructions, we can finally appreciate the “top” payload come to light
And in the same manner the one that goes at the end of the infected file gets injected into the (at this point) infected binary.
It’s not hard at this point to see the differences from a good binary and an infected one, below are the changes that are made by the whole file patching routine:
- Malicious resources are being copied from the infecting payload to the patched one
- “CX” is the actual Phobos Ransomware decryption tool
- Original file icon changes with the one that resides on the infecting payload
- General file size change (+ 678 KB)
After a few seconds of execution, the result is an infection distributed on most 32-bit binaries
One of the core functions takes care to drop an executable called “chromehelper.exe” by extracting it from the malware initial payload; this binary, once executed, creates two folders called respectively “Mlog” and “Log” together with a file called “update.dll”
From now on “chromehelper.exe” will hook on pretty much all processes the user uses to gather information about what is happening and executing every time the user boots his device thanks to a windows task created after a super-fast PID change (common AV evasion technique)
By watching the queried paths a file took our attention under “C:\Program Files (x86)\Google Chrome Helper\Log\%DDMMYY%”, probably a support file for data exfiltration
During dynamic analyses, a rapid in-memory data storage activity triggered by user interaction is detected, this activity takes care to create the “YYMMDD” file inside “Log” directory, as you can see in the screenshot above.
YLABS even after getting a full comprehension of the malware functionalities by reversing and debugging it in various ways kept the process alive for some hours without luck.
In fact no C2 communication nor interesting activity was seen, although, thanks to all the other analysis methods we utilized it is easy to say with enough confidence that this (now) unactive payload once upon a time was an active Remote Access Tool utilized by attackers to keep a secret access to the decrypted infrastructure.
ph_decrypt.exe
The ph_decrypt.exe file is an executable (PE) with the following hashes:
MD5: 89ca56158e78e180ef2a878a8aa42b1b
SHA1: 31998851095818c24d01117301ca93c4d7ccaca8
SHA256: 5bcc043f2a2b19d8b18837553f17fa6e56c418c6720ccffa083f7469d8b2aa54
chromehelper.exe
The chromehelper.exe file is an executable (PE) with the following hashes:
MD5: ca0b28f42c6c21a79fedaad02ca615b7
SHA1: 0468a398f0ccadbb2db5f70434f6751b3f470c6a
SHA256: fff252ef04d8a313b230bb585de920df9ccd8b5d2f61995eecd45e13e58a7fdd
Update.dll
Il file update.dll è un file Dynamic Link Library (DLL) con i seguenti hash:
MD5: aaec25e4932912e9327696fcf44a513e
SHA1: 51b5bb58cf195cc7fa781d53a4883c948c339d41
SHA256: f8023d85a9923810247feb245a0257bee3aa507f316bcca443bb4411637713b1
Upper_Injection
The “Upper_Injection” code is an executable (PE-Win32) with the following hashes:
MD5: 4f64bdbd3c952fa51ab26c346c523802
SHA1: 5b6b6841ac526007459d4cf9c1595813fae6ce9d
SHA256: 5b29b069d126dbd05c50ca2e09bc59757644ed1052f10b2d8af5eeed9d8cbfb4
Lower_Injection
The “Lower_Injection” code is a bunch of code with the following hashes:
MD5: 349dd0abd39571658d616e41363ccd0d
SHA1: aa163345dedfcd3ccc3420fca33fff18bc117bd6
SHA256: 5b01064b5e620ba9a0c9738b67dec0c984ecc1c8ab8e270975779ca2fac02876
Prevention & Hunting
Yarix Labs is constantly working to trace APT Groups movements by profiling their techniques and attack patterns to provide one of the bests Security Service to his customers ranging from Incident Response, Cyber Threat Intelligence, Red Teaming to Security Operation Center Monitoring.
APPENDIX
Indicators of compromise
What follows are all the IoCs identified during all malwares analysis done to draft the current article
| Data Type | Value | |
| File | Name | ph_decrypt.exe |
| MD5 | 89ca56158e78e180ef2a878a8aa42b1b | |
| SHA1 | 31998851095818c24d01117301ca93c4d7ccaca8 | |
| SHA256 | 5bcc043f2a2b19d8b18837553f17fa6e56c418c6720ccffa083f7469d8b2aa54 | |
| File | Name | chromehelper.exe |
| MD5 | ca0b28f42c6c21a79fedaad02ca615b7 | |
| SHA1 | 0468a398f0ccadbb2db5f70434f6751b3f470c6a | |
| SHA256 | fff252ef04d8a313b230bb585de920df9ccd8b5d2f61995eecd45e13e58a7fdd | |
|
File |
Name | cx.exe (malware resource) |
| MD5 | 0566d73da02ac32ae31dd63ec363fd25 | |
| SHA1 | b8a4e64aa7ddfa2b3cac6aadf16b17caaafbf4ab | |
| SHA256 | 0ed85d779d7ed73e72bbcdfb91cc8334dade8dc3836eb705db53737cfa267177 | |
|
File |
Name | Update.dll |
| MD5 | aaec25e4932912e9327696fcf44a513e | |
| SHA1 | 51b5bb58cf195cc7fa781d53a4883c948c339d41 | |
| SHA256 | f8023d85a9923810247feb245a0257bee3aa507f316bcca443bb4411637713b1 | |
Author
Nicolas Fasolo is a member of the Yarix Incident Response Team. In the free time he works as an independent “Security Researcher” and “Security Developer” with an unbridled passion for malware analysis. During his CEH Master certification training path he achieved Top 1 in the world for the “Quarter 4 December 2021”. “Cybersecurity Podcast” Author.
