Phobos (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.phobos (Back to overview)

Phobos

VTCollection

MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.

References

2024-11-20 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker, Phuc Pham
Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now
8Base CryptXXXX Dharma Phobos

2024-05-30 ⋅ circleid ⋅ WhoisXML API
A DNS Investigation of the Phobos Ransomware 8Base Attack
8Base Phobos

2024-05-21 ⋅ S-RM ⋅ Frank de Korte
Phobos ransomware launches new leak site and pivots towards double extortion
Phobos

2024-03-18 ⋅ PCrisk ⋅ Tomas Meskauskas
FORCE (.FORCE) ransomware virus – removal and decryption options
Phobos

2024-02-19 ⋅ Cyber Geeks ⋅ CyberMasterV
A Technical Analysis of the BackMyData Ransomware Used to Attack Hospitals in Romania
Phobos

2024-02-15 ⋅ DNSC ⋅ Directoratul National de Securitate Cibernetica
Backmydata Ransomware
Phobos

2023-11-23 ⋅ Qualys ⋅ Suraj Mundalik
Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground
Phobos

2023-11-17 ⋅ Cisco Talos ⋅ Guilherme Venere
Understanding the Phobos affiliate structure and activity
Phobos

2023-11-17 ⋅ Cisco Talos ⋅ Guilherme Venere
A deep dive into Phobos ransomware, recently deployed by 8Base group
8Base Phobos

2023-08-23 ⋅ Logpoint ⋅ Anish Bogati, Nischal khadgi
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base Phobos SmokeLoader SystemBC

2023-07-17 ⋅ Acronis ⋅ Acronis Security
8Base ransomware stays unseen for a year
8Base Phobos SmokeLoader

2023-06-30 ⋅ Twitter (@rivitna2) ⋅ @rivitna2
Twitter thread about relationship between 8Base and Phobos ransomware
8Base Phobos

2023-06-28 ⋅ vmware ⋅ Bria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle
8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC

2023-02-23 ⋅ CERT.PL ⋅ Jarosław Jedynak, Michał Praszmo
A tale of Phobos - how we almost cracked a ransomware using CUDA
Phobos

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-03-03 ⋅ PARAFLARE ⋅ Bex Nitert
Luci Spools The Fun With Phobos Ransomware
Phobos

2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity

2021-10-07 ⋅ Kaspersky ⋅ Fedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void

2021-07-22 ⋅ ⋅ Serviciul Român de Informații ⋅ Serviciul Român de Informații
Cyber attack with PHOBOS ransomware application
Phobos

2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2021-04-27 ⋅ CrowdStrike ⋅ Eben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-04-02 ⋅ Morphisec ⋅ Michael Gorelik
The “Fair” Upgrade Variant of Phobos Ransomware
Makop Phobos

2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker

2020-10-13 ⋅ Fortinet ⋅ Xiaopeng Zhang
Deep Analysis – The EKING Variant of Phobos Ransomware
Phobos

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-04-24 ⋅ Advanced Intelligence ⋅ Bridgit Sullivan
Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus

2020-01-17 ⋅ Secureworks ⋅ Keita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware

2020-01-10 ⋅ Malwarebytes ⋅ Jovi Umawing
Threat spotlight: Phobos ransomware lives up to its name
Phobos

2020-01-01 ⋅ Blackberry ⋅ Blackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP

2019-07-24 ⋅ Malwarebytes ⋅ hasherezade
A deep dive into Phobos ransomware
Phobos

2019-01-29 ⋅ CodeWare ⋅ CoveWare
Phobos Ransomware, A Combo of CrySiS and Dharma
Phobos

Yara Rules

[TLP:WHITE] win_phobos_auto (20241030 | Detects win.phobos.)

rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.phobos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff36 ff15???????? 8bd8 83fbff 7509 ff15???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff36                 | push                dword ptr [esi]
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   83fbff               | cmp                 ebx, -1
            //   7509                 | jne                 0xb
            //   ff15????????         |                     

        $sequence_1 = { 5b c9 c3 8b4620 85c0 7407 50 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   50                   | push                eax

        $sequence_2 = { 33ff 5b c6043080 3bc3 40 730e 3bc3 }
            // n = 7, score = 100
            //   33ff                 | xor                 edi, edi
            //   5b                   | pop                 ebx
            //   c6043080             | mov                 byte ptr [eax + esi], 0x80
            //   3bc3                 | cmp                 eax, ebx
            //   40                   | inc                 eax
            //   730e                 | jae                 0x10
            //   3bc3                 | cmp                 eax, ebx

        $sequence_3 = { ff15???????? 89442414 e8???????? 6a00 6a14 89442420 e8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6a14                 | push                0x14
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   e8????????           |                     

        $sequence_4 = { 68a00f0000 8d4610 50 ff15???????? }
            // n = 4, score = 100
            //   68a00f0000           | push                0xfa0
            //   8d4610               | lea                 eax, [esi + 0x10]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_5 = { 8b450c 83c414 85c0 7408 8b0e 8b4c3908 }
            // n = 6, score = 100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8b4c3908             | mov                 ecx, dword ptr [ecx + edi + 8]

        $sequence_6 = { 59 50 8945fc e8???????? 8bf8 59 85ff }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   59                   | pop                 ecx
            //   85ff                 | test                edi, edi

        $sequence_7 = { 333c9dd0b54000 8bda 23d8 333c9dd0c14000 8b5df0 337910 }
            // n = 6, score = 100
            //   333c9dd0b54000       | xor                 edi, dword ptr [ebx*4 + 0x40b5d0]
            //   8bda                 | mov                 ebx, edx
            //   23d8                 | and                 ebx, eax
            //   333c9dd0c14000       | xor                 edi, dword ptr [ebx*4 + 0x40c1d0]
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   337910               | xor                 edi, dword ptr [ecx + 0x10]

        $sequence_8 = { 83c104 83fe08 72d6 8b0a 83e90a 0f8466010000 49 }
            // n = 7, score = 100
            //   83c104               | add                 ecx, 4
            //   83fe08               | cmp                 esi, 8
            //   72d6                 | jb                  0xffffffd8
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   83e90a               | sub                 ecx, 0xa
            //   0f8466010000         | je                  0x16c
            //   49                   | dec                 ecx

        $sequence_9 = { 2bfa 53 0fb716 0fb71c37 663bd3 770a 720d }
            // n = 7, score = 100
            //   2bfa                 | sub                 edi, edx
            //   53                   | push                ebx
            //   0fb716               | movzx               edx, word ptr [esi]
            //   0fb71c37             | movzx               ebx, word ptr [edi + esi]
            //   663bd3               | cmp                 dx, bx
            //   770a                 | ja                  0xc
            //   720d                 | jb                  0xf

    condition:
        7 of them and filesize < 139264
}

Download all Yara Rules

Phobos Propose Change

References

Yara Rules

Phobos