Threat Research

Warning Against Phobos Ransomware Distributed via Vulnerable RDP – ASEC BLOG

Securonix

ASEC reports active distribution of Phobos ransomware using vulnerable RDP services as an entry point. The analysis covers Phobos’ file-encryption behavior, ransom-note mechanics, persistence, defense evasion, and network-shared-folder encryption.
#Phobos #Dharma #CrySis #ASEC #AhnLab

Keypoints

  • Phobos ransomware is actively distributed via externally exposed RDP services with vulnerable securities as attack vectors.
  • Infected files are renamed with identifiers such as the volume serial number and threat actor email addresses, e.g., via extended file name patterns.
  • Ransom notes (info.txt and info.hta) are created across multiple directories to provide actor contact information and ransom instructions.
  • Phobos maintains persistence by copying itself to %LOCALAPPDATA% and registering Run keys to survive reboots.
  • Encryption targets almost all files, with extensive exception conditions including a long list of extensions and file names; AES-CBC is used for encryption, and a locale check may terminate infection in certain locales.
  • Defense evasion includes terminating numerous processes, disabling the firewall, and deleting volume shadow copies to hinder recovery.
  • The ransomware can encrypt local drives and network shared folders, enumerating network shares via Windows APIs before encrypting them.

MITRE Techniques

  • [T1133] External Remote Services – Phobos distribution leverages externally exposed RDP services with vulnerable securities as attack vectors. Quote: “These ransomware strains typically target externally exposed Remote Desktop Protocol (RDP) services with vulnerable securities as attack vectors.”
  • [T1110] Brute Force – Attacks on such RDP services often involve brute force and dictionary attacks on accounts with weak credentials. Quote: “brute force and dictionary attacks on systems where account credentials are poorly managed.”
  • [T1562.001] Impair Defenses: Disable or Modify System Firewall – The malware disables the firewall as part of defense evasion. Quote: “Disable the firewall” (Table 3).
  • [T1490] Inhibit System Recovery – The ransomware deletes volume shadow copies to prevent recovery. Quote: “delete shadows /all /quiet” and related recovery-disabled commands.
  • [T1486] Data Encrypted for Impact – Phobos encrypts all files on the system (with specified exceptions) using AES-CBC. Quote: “Phobos ransomware encrypts all files present on a system, excluding those set as exceptions…”
  • [T1021.002] SMB/Windows Admin Shares – It encrypts local and network shared folders by enumerating network resources and then encrypting them. Quote: “Phobos ransomware is one of the main ransomware that support the encryption feature for network shared folders” and “lists existing or currently connected network shared resources …”

Indicators of Compromise

  • [MD5] Phobos-related hashes – d221b0a793cd10b00b0c1f943f6c1b63, c6936c5cf4307a8bb793dbc7a9dcb9f1, and 9 more hashes
  • [File name] Ransom notes – info.hta, info.txt – ransom notes generated after infection
  • [File name] Excluded encryption filenames – boot.ini, bootfont.bin – filenames that the malware avoids encrypting
  • [File path] Ransom note placement – %USERPROFILE%Desktopinfo.hta, %public%Desktopinfo.txt – paths where notes are created

Read more: https://asec.ahnlab.com/en/58753/