Intel-Ops tracks Phobos ransomware infrastructure attributed to the 8Base group, detailing a RaaS model and affiliates using Smokeloader and SystemBC in intrusions. The report identifies 45 domains, 22 IPs, and 50 samples (33 Smokeloader, 16 SystemBC, 1 Meterpreter) with limited VirusTotal detections, and notes activity into early 2024. #Phobos #8Base #Smokeloader #SystemBC #Meterpreter
Keypoints
- Phobos ransomware operates as a Ransomware-as-a-Service (RaaS) with multiple variants and affiliates; a central authority may hold the private keys. “Phobos is a Ransomware-as-a-Service (RaaS) with a number of variants … and a disperse set of affiliates … there is a central authority that holds the private key for all campaigns associated with the Phobos variants.”
- 8Base is an active Phobos operator, with branding and ramping activity—“One group that utilises Phobos ransomware is the 8Base ransomware group … the group is now regularly posting multiple victims in a single day since December 2023.”
- Smokeloader and SystemBC are central to 8Base intrusions: Smokeloader provides initial obfuscation, and SystemBC is used as a SOCKS5 proxy to route traffic and enable C2 interactions. “8base uses SystemBC to encrypt command and control traffic and Smokeloader, which provided initial obfuscation of the ransomware on ingress, unpacking, and loading of the Phobos ransomware.”
- 8Base has a substantial infrastructure footprint: Intel-Ops identifies 45 domains and 22 IPs tied to 8Base infrastructure, with most domains in the .xyz space and a geographic footprint across Germany, the Netherlands, and Estonia.
- Victimology spans multiple sectors (county governments, emergency services, education, public healthcare, and other critical infrastructure), with Western organizations constituting a large share of victims. “county governments, emergency services, education, public healthcare, and other critical infrastructure entities … ransom several million U.S. dollars.”
- VirusTotal detections for these domains are generally low (average 10/89), and many domains show zero communicating files, suggesting under-detection and a large undetected footprint. “The average VT detection score is 10/89.” and “18 of the domains have 0 communicating files in VirusTotal.”
MITRE Techniques
- [T1486] Data Encrypted for Impact – Phobos ransomware encrypts files to ransom victims. “Phobos operates a Ransomware-as-a-Service (RaaS) with a number of variants … there is a central authority that holds the private key for all campaigns associated with the Phobos variants.”
- [T1027] Obfuscated/Compressed Files or Information – Smokeloader uses deception and a multi-stage decryption process to hide its payload and operations. “the malware … uses random API function calls and a multi-stage decryption process.”
- [T1090] Proxy – SystemBC is used as a SOCKS5 proxy to facilitate interaction between victims and attacker infrastructure for commands and data. “SOCKS5 proxy allowing for interaction between victim machines and attacker infrastructure to execute commands, deploy additional payloads or exfiltrate data.”
- [T1036] Masquerading – 8Base brands its ransomware by appending “.8base” to encrypted files and slightly modifies the Phobos ransom note. “append ‘.8base’ to their encrypted files and slightly modify the ransom note from the Phobos template.”
- [T1041] Exfiltration Over C2 Channel – The proxy setup and C2 traffic enable data exfiltration as part of attacker operations. “to exfiltrate data.”
Indicators of Compromise
- [IP Address] – Example: 45.131.66.120, 185.234.72.182, and 92.118.36.204 (data-leak site). These addresses are associated with 8Base infrastructure and related activity.
- [Domain] – Example: servermlogs27.xyz, demstat577d.xyz (domains identified as linked to 8Base infrastructure).