Threat Research

Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground | Qualys Security Blog

Securonix

Qualys Threat Research uncovers Phobos ransomware masquerading as VX-Underground (VXUG), often distributed via stolen RDP and operating as a RaaS linked to Dharma/CrySIS. The article details anti-analysis checks, a wide process-kill routine, backup and firewall disruptions, and persistence mechanisms such as startup-folder and Run registry entries. #Phobos #VXUG #VX-Underground #Dharma #CrySIS #RDP

Keypoints

  • The Phobos ransomware family is masquerading as VX-Underground (VXUG) and commonly spread via stolen RDP access, with links to the Dharma/CrySIS ecosystem.
  • The sample is distributed as AntiRecuvaAndDB.exe, a UPX-packed 32-bit binary masquerading a legitimate Recuva installer.
    • Cyrillic-language detection checks trigger termination if Cyrillic characters are present, suggesting anti-analysis/geo-targeting logic.

MITRE Techniques

  • [T1547.001] Boot or Logon Autostart Execution – Brief description: Persistence via startup folder and Run registry entry; “The ransomware achieves persistence by replicating the executable in the Startup directory and adding the Run registry key.”
  • [T1027.002] Software Packing – Brief description: The sample is UPX packed; “UPX Packed Payload” and “UPX Packer” indicate packing to hinder analysis.
  • [T1112] Modify Registry – Brief description: Uses Run registry key persistence; “adding the Run registry key”
  • [T1490] Inhibit System Recovery – Brief description: Deletes shadow copies and disrupts recovery options; “Inhibit System Recovery (T1490)”
  • [T1562.001] Disable or Modify Tools – Brief description: Disables security-related tools, e.g., firewall; “Disable Windows Firewall” and related commands
  • [T1070.004] File Deletion – Brief description: Deletes artifacts to obstruct recovery; “File Deletion” referenced in tactics

Indicators of Compromise

  • [File Hash] context – 763b04ef2d0954c7ecf394249665bcd71eeafebc3a66a27b010f558fd59dbdeb
  • [File Name] context – AntiRecuvaAndDB.exe, DesktopBuy Black Mass Volume I.txt, Desktop Buy Black Mass Volume II.hta
  • [File Extension] context – VXUG
  • [Registry Key] context – CurrentVersionRun: AntiRecuvaAndDB
  • [Email] context – [email protected]

Read more: https://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint