Intel-Ops
Follow
Mar 5, 2024
—
Intel-Ops
Follow
Mar 5, 2024
—
On February 29th 2024, CISA released an advisory on Phobos ransomware.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
Intel-Ops is actively tracking infrastructure assessed to belong to the 8Base Ransomware group, an operator of Phobos ransomware. Our Threat Intel customers will be proactively blocking this threat.
Phobos operates a Ransomware-as-a-Service model and groups utilising this ransomware have targeted:
“county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.”
It is assessed that Phobos is a Ransomware-as-a-Service (RaaS) with a number of variants (Eking, Eight, Elbie, Devos and Faust) and a disperse set of affiliates that share very similar TTPs. Cisco Talos assess with moderate confidence that there is a central authority that holds the private key for all campaigns associated with the Phobos variants.
One group that utilises Phobos ransomware is the 8Base ransomware group, who have been highly active between mid-2023 and into 2024. The group are thought to be a collective of experienced ransomware operators. 8Base add their own branding customisation by appending “.8base” to their encrypted files and slightly modify the ransom note from the Phobos template. As you can observe in the graph below, operations and therefore victims significantly ramped up in June 2023 and the group is now regularly posting multiple victims in a single day since December 2023, likely motivating CISA to issue their advisory:
Using https://www.fortinet.com/blog/threat-research/ransomware-roundup-8base, we can see that, like many ransomware groups, a broad range of industry verticals have been affected by 8Base. Date cut off: December 2023.
Similarly, Western orgnisations make up the majority of victims of 8Base.
The SmokeLoader backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is notorious for its use of deception and self-protection, using random API function calls and a multi-stage decryption process. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
SystemBC is primarily used as a SOCKS5 proxy allowing for interaction between victim machines and attacker infrastructure to execute commands, deploy additional payloads or exfiltrate data. SystemBC has reportedly been associated with loaders such as Smokeloader as well as Gootloader and ModernLoader. It has risen in popularity in recent years with usage linked to a variety of capable ransomware groups such as Cuba, BlackBasta, Play (Now BlackSuit), Rhysida, 8Base and more.
For an excellent in-depth report on SystemBC:
https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/The%20Swiss%20Knife%20-%20SystemBC%20%7C%20Coroxy/The%20Swiss%20Knife-SystemBC_EN.pdf
As reported by VMware’s Carbon Black, 8Base use Smokeloader and SystemBC in their intrusions:
“8base uses SystemBC to encrypt command and control traffic and Smokeloader, which provided initial obfuscation of the ransomware on ingress, unpacking, and loading of the Phobos ransomware.”
Cisco Talos follows this description with:
“8base sample had been downloaded from the domain admlogs25[.]xyz — which appears to be associated with SystemBC, a proxy and remote administration tool. SystemBC has been used by other ransomware groups as a way to encrypt and conceal the destination of the attackers’ Command and Control traffic. 8base uses SystemBC to encrypt command and control traffic and Smokeloader, which provided initial obfuscation of the ransomware on ingress, unpacking, and loading of the Phobos ransomware.”
Intel-Ops has been tracking a collection of infrastructure linked to 8Base. Attribution is based on file samples with .8base extensions communicating with a number of domains in the dataset. Naming conventions for domain names follow a similar format to those reported as 8Base as well as common attributes of the C2 infrastructure.
Within this dataset, we have identified Smokeloader and SystemBC samples. We will break this infrastructure into sections looking at domains, hosting and files.
The infrastructure tracked by Intel-Ops is presented in the following Maltego graph. The size of the node correlates to the number of outgoing links to downstream nodes. E.g. 8Base root node -> IP -> Domain -> Communicating Files:
The above graph is a great way to identify how the infrastructure has been utilised by 8Base. We can see that there a number of domains and IP addresses more heavily utilised based on number of connections between domain — IP and domain — files submitted to VirusTotal. For example, the domain servermlogs27[.]xyz has been operational since at least October 2023 and demstat577d[.]xyz has been operational since at least July 2023 and have the most submitted files. However, there still remains a large number of domains and IP addresses linked to 8Base that have been active for a similar length of time, such as fexstat227[.]xyz on IP 46.36.218[.]224 which has only now seen a sudden surge in submitted samples in late February. As we will see in the next section, this infrastructure has been deployed and pre-operational since around June and July.
Intel-Ops has identified 45 domains linked to 8Base.
Of the 45 domains identified, 43 of them belonged to the .xyz TLD, with 2 belonging to the .net and .pro TLDs. Additionally, the domains ranged from 5–13 characters in length, with the average length being 9 characters long. 42 of the 45 domains also contained strings of 2–3 random numeric values appended to the end of the domain string.
Additionally, Intel-Ops used PassiveDNS records in VirusTotal to understand when the domains resolved to an A record:
As we mentioned, there was a lot of DNS changes for a relatively short period of time, with many domains cycling through IP addresses every couple of days. Then, in November, this stopped and the DNS activity has remained very static between domain and IP. This could indicate that we have observed all active domains we’re likely to see with this current cluster of activity.
Interestingly, despite the increasing notoriety of 8Base and its use of Smokeloader and SystemBC, detection of their domains used for command and control remains very low. 18 of the domains have 0 communicating files in VirusTotal which has no real bearing on detection rate. For example, zopte234[.]xyz has the joint highest detection but no communicating files. Interestingly, the domains without any numeric values have 0 VT detections or communicating files and remain parked since June 2023. The average VT detection score is 10/89.
So where do all of our 45 IP addresses resolve to? Well, 22 IP addresses that are geo-located in Germany or Estonia hosted by 3 hosting providers: Hetzner, ITP-Solutions GmbH & Co. KG and P.a.g.m. Ou.
When we inspect the detection rate for IP addresses in VirusTotal, there is a notable decline in any detection at all. 63% of IP addresses used by 8Base, as far back as July 2023, still maintain a 0 detection score, with no attribution to 8Base:
These scores don’t mean that they haven’t resolved to domains or communicating files submitted to VirusTotal either. If we take the bottom two IP addresses in the above graph. 45.131.66[.]34 had two files submitted in September 2023 and has subsequently had 6 files submitted in February 2024. 45.89.127[.]23 has been the A record for admlogs85[.]xyz since July 2023 however, no files have been submitted. Alternatively, the top detected IP only has two submitted files in July 2023 and February 2024. The average VT detection score for these IP addresses is 1/89.
Of the 22 IP addresses tracked by Intel-Ops, only 10 of them have communicating files submitted to VirusTotal. In total, we have identified 50 unique file samples submitted to VirusTotal linked to Smokeloader (33), SystemBC (16) and a singular Meterpreter payload.
Let’s break this down by name:
We took the communicating file names directly from VirusTotal and inspected the filenaming conventions you might expect to see in a compromised environment. There appears to be 2 clusters or files when observing naming convention. The first cluseter, and the most frequently observed are the files that contain the “111” string. The second, appears to be randomly generated files using just characters. There was no distinguishing difference between filenames and associated domain/IP communication.
So when were the files submitted?
Due to the timing of the CISA report, we’d expect to see an increase in activity from Phobos ransomware groups such as 8Base but this a massive spike in submissions, with 20 files submitted to VirusTotal for analysis on a single date: 26/02/2024. Our assessment is that its likely a single organisation such as CISA conducted analysis of submitted files as opposed to many victims all submitting on the same day.
So let’s bring it all together in a single timeline graph:
When we pull the dates together from our various datasets to give us an idea of frequency of activity we can see that whilst active through the latter half of 2023, DNS activity appeared to match pace. However, after November that was a big lull in DNS changes and file submissions to VirusTotal. After a resumption of victim posts in January 2024, we see a very sharpe increase in submitted files to VirusTotal, confirming that our tracked infrastructure is still very active.
At the time of writing this report, the 8Base ransomware group’s data leak site ishosted on the 92.118.36[.]204, ISP: Alviva Holding Limited.
Intel-Ops actively tracks this infrastructure including any changes to provide proactive and timely detection of threat actor changes. We will soon be providing these via an curated Threat Intelligence feed. Additionally, we provide a training academy that provides a thorough syllabus to teach analysts how to track threats such as this.
Please reach out to: contact@intel-ops.io for more information.
IP addresses:
45.131.66.120
185.234.72.182
45.89.127.232
91.200.102.159
45.89.127.242
185.234.72.100
45.131.66.222
45.89.127.226
45.138.48.20
45.131.66.236
5.182.206.85
91.200.100.51
212.87.212.72
45.131.66.20
88.198.0.181
193.31.28.198
46.36.218.224
Domains:
gentexlog238.xyz
zopte234.xyz
moknex158.xyz
zxvad95.xyz
xemtex534.xyz
mkhexlogs215.xyz
mktexlog238.xyz
amx55.xyz
zxmextog23.xyz
mkstat227.xyz
sentrex219.xyz
mksad917.xyz
mktrex219.xyz
mxzex322.xyz
mentran450.xyz
moplex355.xyz
adstat477d.xyz
samnex158.xyz
fexstat227.xyz
fexstat257.xyz
servblog757.xyz
servermlogs27.xyz
blogxstat38.xyz
serverxlogs21.xyz
dexblog45.xyz
kmsox815.xyz
adstat277xm.xyz
amx15.xyz
cexsad917.xyz
admxlogs25.xyz
demblog289.xyz
admlogs85.xyz
kmstat355mx.xyz
demstat377xm.xyz
admhexlogs215.xyz
servxblog79.xyz
amx395.xyz
demstat577d.xyz
admxlogs215.xyz
amx75.xyz
mxtmx.xyz
blogserv.xyz
mexstat.pro
advserv.xyz
privat1505.xyz
piserver22.net
—
—
in
—
—
in
—
—
—
in
—