SYMBOLCOMMON_NAMEaka. SYNONYMS
win.phobos (Back to overview)

Phobos

MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.

References
2023-02-23CERT.PLJarosław Jedynak, Michał Praszmo
@online{jedynak:20230223:tale:4a0d4cd, author = {Jarosław Jedynak and Michał Praszmo}, title = {{A tale of Phobos - how we almost cracked a ransomware using CUDA}}, date = {2023-02-23}, organization = {CERT.PL}, url = {https://cert.pl/en/posts/2023/02/breaking-phobos/}, language = {English}, urldate = {2023-02-27} } A tale of Phobos - how we almost cracked a ransomware using CUDA
Phobos
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-03PARAFLAREBex Nitert
@online{nitert:20220303:luci:3b608e9, author = {Bex Nitert}, title = {{Luci Spools The Fun With Phobos Ransomware}}, date = {2022-03-03}, organization = {PARAFLARE}, url = {https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/}, language = {English}, urldate = {2022-03-07} } Luci Spools The Fun With Phobos Ransomware
Phobos
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9, author = {The BlackBerry Research & Intelligence Team}, title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}}, date = {2021-11-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/zebra2104}, language = {English}, urldate = {2021-11-08} } Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-10-07KasperskyFedor Sinitsyn, Yanis Zinchenko
@online{sinitsyn:20211007:ransomware:b5e74a3, author = {Fedor Sinitsyn and Yanis Zinchenko}, title = {{Ransomware in the CIS}}, date = {2021-10-07}, organization = {Kaspersky}, url = {https://securelist.com/cis-ransomware/104452/}, language = {English}, urldate = {2021-10-11} } Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2021-07-22Serviciul Român de InformațiiServiciul Român de Informații
@online{informaii:20210722:cyber:03cb12f, author = {Serviciul Român de Informații}, title = {{Cyber ​​attack with PHOBOS ransomware application}}, date = {2021-07-22}, organization = {Serviciul Român de Informații}, url = {https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos}, language = {Romanian}, urldate = {2021-07-26} } Cyber ​​attack with PHOBOS ransomware application
Phobos
2021-05-11Mal-Eatsmal_eats
@online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-04-27CrowdStrikeJosh Dalman, Kamil Janton, Eben Kaplan
@online{dalman:20210427:ransomware:8242ac5, author = {Josh Dalman and Kamil Janton and Eben Kaplan}, title = {{Ransomware Preparedness: A Call to Action}}, date = {2021-04-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/}, language = {English}, urldate = {2021-05-31} } Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-02MorphisecMichael Gorelik
@online{gorelik:20210402:fair:6f62577, author = {Michael Gorelik}, title = {{The “Fair” Upgrade Variant of Phobos Ransomware}}, date = {2021-04-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware}, language = {English}, urldate = {2021-04-06} } The “Fair” Upgrade Variant of Phobos Ransomware
Phobos
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2020-10-13FortinetXiaopeng Zhang
@online{zhang:20201013:deep:e95d109, author = {Xiaopeng Zhang}, title = {{Deep Analysis – The EKING Variant of Phobos Ransomware}}, date = {2020-10-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware}, language = {English}, urldate = {2020-10-20} } Deep Analysis – The EKING Variant of Phobos Ransomware
Phobos
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-04-24Advanced IntelligenceBridgit Sullivan
@online{sullivan:20200424:inside:ee63bb1, author = {Bridgit Sullivan}, title = {{Inside "Phobos" Ransomware: "Dharma" Past & Underground}}, date = {2020-04-24}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground}, language = {English}, urldate = {2020-07-30} } Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-10MalwarebytesJovi Umawing
@online{umawing:20200110:threat:9e615e1, author = {Jovi Umawing}, title = {{Threat spotlight: Phobos ransomware lives up to its name}}, date = {2020-01-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/}, language = {English}, urldate = {2020-01-22} } Threat spotlight: Phobos ransomware lives up to its name
Phobos
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-07-24Malwarebyteshasherezade
@online{hasherezade:20190724:deep:c7d1aed, author = {hasherezade}, title = {{A deep dive into Phobos ransomware}}, date = {2019-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/}, language = {English}, urldate = {2020-01-13} } A deep dive into Phobos ransomware
Phobos
2019-01-29CodeWareCoveWare
@online{coveware:20190129:phobos:8423f74, author = {CoveWare}, title = {{Phobos Ransomware, A Combo of CrySiS and Dharma}}, date = {2019-01-29}, organization = {CodeWare}, url = {https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew}, language = {English}, urldate = {2020-01-08} } Phobos Ransomware, A Combo of CrySiS and Dharma
Phobos
Yara Rules
[TLP:WHITE] win_phobos_auto (20230407 | Detects win.phobos.)
rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.phobos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8345fc10 83c40c 83eb10 4f 75b9 eb61 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8345fc10             | add                 dword ptr [ebp - 4], 0x10
            //   83c40c               | add                 esp, 0xc
            //   83eb10               | sub                 ebx, 0x10
            //   4f                   | dec                 edi
            //   75b9                 | jne                 0xffffffbb
            //   eb61                 | jmp                 0x63

        $sequence_1 = { 5b 8b4508 8bce e8???????? 5f c9 }
            // n = 6, score = 100
            //   5b                   | pop                 ebx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   c9                   | leave               

        $sequence_2 = { 83c41c 6a09 8945f0 e8???????? 8945ec }
            // n = 5, score = 100
            //   83c41c               | add                 esp, 0x1c
            //   6a09                 | push                9
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   e8????????           |                     
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_3 = { 03c3 8d440004 50 57 e8???????? 83c40c eb12 }
            // n = 7, score = 100
            //   03c3                 | add                 eax, ebx
            //   8d440004             | lea                 eax, [eax + eax + 4]
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb12                 | jmp                 0x14

        $sequence_4 = { 83c602 6685c0 75e5 33c0 668902 83c202 33c0 }
            // n = 7, score = 100
            //   83c602               | add                 esi, 2
            //   6685c0               | test                ax, ax
            //   75e5                 | jne                 0xffffffe7
            //   33c0                 | xor                 eax, eax
            //   668902               | mov                 word ptr [edx], ax
            //   83c202               | add                 edx, 2
            //   33c0                 | xor                 eax, eax

        $sequence_5 = { 57 6a16 8944243c e8???????? 57 6a23 89442428 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   6a16                 | push                0x16
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax
            //   e8????????           |                     
            //   57                   | push                edi
            //   6a23                 | push                0x23
            //   89442428             | mov                 dword ptr [esp + 0x28], eax

        $sequence_6 = { e8???????? 59 50 ff7508 ff74241c ff15???????? 6aff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   ff15????????         |                     
            //   6aff                 | push                -1

        $sequence_7 = { 8d45fc 50 ff75fc 53 6a02 ff75e4 ffd7 }
            // n = 7, score = 100
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   53                   | push                ebx
            //   6a02                 | push                2
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   ffd7                 | call                edi

        $sequence_8 = { 8bc7 5f 5d c3 55 8bec 68a4000000 }
            // n = 7, score = 100
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   68a4000000           | push                0xa4

        $sequence_9 = { 83c410 8945ec 3975fc 0f8434010000 8b45d4 3bc6 740a }
            // n = 7, score = 100
            //   83c410               | add                 esp, 0x10
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   3975fc               | cmp                 dword ptr [ebp - 4], esi
            //   0f8434010000         | je                  0x13a
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   3bc6                 | cmp                 eax, esi
            //   740a                 | je                  0xc

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules