Phobos ransomware, first discovered in December 2018, is another notorious cyber threat actor which targets businesses.
Phobos is popular among threat actors because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic: the gang’s name was likely inspired by him.
Phobos is a ransomware infection that spreads through hijacked Remote Desktop (RDP) connections. This isn’t surprising, given that hacked RDP servers are a cheap commodity on the underground market and can be an appealing and cost-effective distribution route for threat actors.
Additionally, Phobos is not packed or obfuscated, unlike the majority of malware which is secured by a crypter. Although the absence of packing is not frequent in the general population of malware, it is widespread among malware that is manually distributed by attackers.
Unlike other gangs that look for medium/enterprise targets, Phobos team usually go after smaller firms that don’t have the financial wherewithal to pay massive ransoms. Phobos is standard ransomware that offers little in innovation. They do not use the double extortion approach, indeed there have been no reports of any underground leak sites revealing confidential information about their targets. This threat is most likely inserted to influence the victim, capitalizing on worries sparked by other high-profile ransomware attacks.
Yarix’s Research Labs (YLABS) in a previous blog post called “Phobia” has analyzed a specific binary related to Phobos ransomware to check if it does only decrypt the data encrypted by it; as expected the payload turned out to be a funny one, full of insidious functionalities that can be seen only through advanced techniques.
In this article the task is to pick up where it has been left off in the previous post, uncovering what still remains obscure.
Now let’s dive into it!
The analysis of the malware found by the YIR team (Yarix Incident Response Team) has been divided in two articles, you can find the first part that comprehend “Static” and “Dynamic” analysis by clicking HERE.
If you already read the first article and want to dive into the “nerdy stuff”, keep reading.
After the execution started and some code has already been executed the payload starts to look for injected code or debuggers through a dedicated function that has been highlighted with the “DEBUGGER AWARE FUNCTION” comment as you can see in the screenshot below
To avoid that check the binary has been patched with a “jmp” instruction to the next code section.
As we know, every advanced malware always does some checks on the infected target’s environment. Also in this case some nice Keyboard Language Checks could not be missing in order to determine the origin of the infected host; following screenshots show some of the methods that have been found during debugging activities
GetKeyboardType call as the name says, gets some informations about the keyboard layout and settings
Some checks in the registry were made in the current user hive to retrieve additional informations about utilized Keyboard
Additionally, the following strings has been found inside the binary
ANSI_CHARSET, DEFAULT_CHARSET, SYMBOL_CHARSET, MAC_CHARSET, SHIFTJIS_CHARSET, HANGEUL_CHARSET, JOHAB_CHARSET, GB2312_CHARSET, CHINESEBIG5_CHARSET, GREEK_CHARSET, TURKISH_CHARSET, HEBREW_CHARSET, ARABIC_CHARSET, BALTIC_CHARSET, RUSSIAN_CHARSET, THAI_CHARSET, EASTEUROPE_CHARSET, OEM_CHARSET, DEFAULT_CHARSET
Anyway, those charsets strings have never been compared during the observed malware execution. However many advanced malware samples utilize “noise” code and functions just to misdirect payload’s debugging; so the analysts gets to follow rabbit holes that make analysis longer in terms of time and harder to comprehend.
During debugging and reverse engineering operations many hidden functions have been highlighted by the defenses implemented to protect them like infinite loop functions and methods that throw an exception if certain conditions are not met during execution. One of these “Hidden Routines” is the “File Patching Routine” that basically takes a x86 Binary and appends two payloads inside it, effectively creating a matryoshka where the malware from that moment on will puppet the execution of the real infected file.
Let’s see how it works step by step!
The biggest portion of the malicious code resides on top of the file meanwhile the second one closes the original binary with some uncommon B64 artifacts
Looking at the process with a common “Process Monitor” like sysinternal’s one we can see how it takes the current binary that has to be patched, moves it into temp, applies the patches and then it proceed by copying it in the original location
The function that does this dirty work is located deep inside the malware routines and it is referenced with a “7-zip” string.
Advanced Dynamic Analysis – Decompression RoutineOnce the method has gone through all the instructions, we can finally appreciate the “top” payload come to light
And in the same manner the one that goes at the end of the infected file gets injected into the (at this point) infected binary.
It’s not hard at this point to see the differences from a good binary and an infected one, below are the changes that are made by the whole file patching routine:
- Malicious resources are being copied from the infecting payload to the patched one
- “CX” is the actual Phobos Ransomware decryption tool
- Original file icon changes with the one that resides on the infecting payload
- General file size change (+ 678 KB)
After a few seconds of execution, the result is an infection distributed on most 32-bit binaries
One of the core functions takes care to drop an executable called “chromehelper.exe” by extracting it from the malware initial payload; this binary, once executed, creates two folders called respectively “Mlog” and “Log” together with a file called “update.dll”
From now on “chromehelper.exe” will hook on pretty much all processes the user uses to gather information about what is happening and executing every time the user boots his device thanks to a windows task created after a super-fast PID change (common AV evasion technique)
By watching the queried paths a file took our attention under “C:\Program Files (x86)\Google Chrome Helper\Log\%DDMMYY%”, probably a support file for data exfiltration
During dynamic analyses, a rapid in-memory data storage activity triggered by user interaction is detected, this activity takes care to create the “YYMMDD” file inside “Log” directory, as you can see in the screenshot above.
YLABS even after getting a full comprehension of the malware functionalities by reversing and debugging it in various ways kept the process alive for some hours without luck.
In fact no C2 communication nor interesting activity was seen, although, thanks to all the other analysis methods we utilized it is easy to say with enough confidence that this (now) unactive payload once upon a time was an active Remote Access Tool utilized by attackers to keep a secret access to the decrypted infrastructure.
The ph_decrypt.exe file is an executable (PE) with the following hashes:
The chromehelper.exe file is an executable (PE) with the following hashes:
Il file update.dll è un file Dynamic Link Library (DLL) con i seguenti hash:
The “Upper_Injection” code is an executable (PE-Win32) with the following hashes:
The “Lower_Injection” code is a bunch of code with the following hashes:
Yarix Labs is constantly working to trace APT Groups movements by profiling their techniques and attack patterns to provide one of the bests Security Service to his customers ranging from Incident Response, Cyber Threat Intelligence, Red Teaming to Security Operation Center Monitoring.
What follows are all the IoCs identified during all malwares analysis done to draft the current article
|Name||cx.exe (malware resource)|
Nicolas Fasolo is a member of the Yarix Incident Response Team. In the free time he works as an independent “Security Researcher” and “Security Developer” with an unbridled passion for malware analysis. During his CEH Master certification training path he achieved Top 1 in the world for the “Quarter 4 December 2021”. “Cybersecurity Podcast” Author.