Intel-Ops researchers found that the 8Base ransomware group has been deploying Phobos ransomware via a ransomware-as-a-service model, using multiple Phobos variants to compromise targets. The investigation catalogs 63 IoCs (46 domains and 17 IPs) and traces a broader infrastructure through WHOIS and DNS analyses, revealing a Germany-based hosting pattern and Icelandic registration activity. Hashtags: #Phobos #8Base #RaaS #Eking #Eight #Elbie #Devos #Faust #Namecheap #Hetzner #Germany
Keypoints
- 8Base operators use Phobos ransomware variants (Eking, Eight, Elbie, Devos, Faust) through a ransomware-as-a-service (RaaS) model.
- The targets span county governments, emergency services, educational institutions, healthcare, and other critical infrastructure sectors.
- 63 IoCs were published: 46 domains and 17 IP addresses, with further expansion via WHOIS and threat intelligence analyses.
- The IoCs include domain registrations across three registrars, with most (44) at Namecheap and creation dates in 2023.
- Geolocation analysis shows most domain IoCs associated with Iceland; all 17 IP IoCs geolocated to Germany, with Hetzner Online involved for at least one address.
- Expanded artifacts include 368 email-connected domains, 3 additional IPs, 13 IP-connected domains, and 20 string-connected domains; researchers also identified 404 potentially connected web properties.
MITRE Techniques
- [T1583] Acquire Infrastructure β The attackers/operatives used multiple domains and IPs for their attack infrastructure and the researchers expanded IoCs to uncover more infrastructure. Quote: βTo find out if 8Base had other domains and IP addresses in its attack infrastructure, we expanded the list of IoCs starting with WHOIS History API queries for the 46 domain IoCs.β
- [T1588] Obtain Capabilities β The ransomware operation relies on a ransomware-as-a-service model to obtain and deploy ransomware variants. Quote: βThe Phobos operators have been selling the ransomwareβs multiple variants (e.g., Eking, Eight, Elbie, Devos and Faust) via the ransomware-as-a-service (RaaS) model.β
Indicators of Compromise
- [Domain] IoCs β 46 domain indicators; examples: domains registered with Namecheap (44 domains), plus 1 each at PSI-USA and REG.RU. Context: domain-based artifacts expanding the attacker infrastructure.
- [IP Address] IoCs β 17 IP indicators; examples: 45[.]89[.]127[.]159 (malware distribution), 88[.]198[.]21[.]27 (Hetzner). Context: IPs tied to the infrastructure and hosting.
- [Email] IoCs β 4 email-connected addresses from historical WHOIS; context: linked to the domain ecosystem and further domain discovery.
- [Domain] String-connected Domains β 20 domains discovered via string patterns (advserv., amx15., amx395., amx55., blogserv., mexstat., mxtmx.). Context: potential social-engineering or infrastructure overlap.
- [Web Property] Web properties β 404 potentially connected properties: 401 email-, IP-, and string-connected domains and three IP addresses. Context: broadening footprint beyond the initial IoCs.
Read more: https://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack