Contents:
CISA, the FBI, and MS-ISAC joined forces in a new advisory disclosing the latest Phobos ransomware IoCs and tactics. The update is rooted in recent investigations up to February 2024.
The alert gives organizations a heads-up regarding how to prevent and mitigate a Phobos ransomware infection.
The Phobos ransomware-as-a-service frequently targets government and critical infrastructure institutions. Hospitals, universities, emergency services, and jail facilities are on the threat group’s victims list.
Common Phobos ransomware IoCs
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) disclosed in the advisory a comprehensive list of IoCs.
Some of the main Phobos ransomware IoCs categories are:
Associated Phobos domains
- adstat477d[.]xyz
- demstat577d[.]xyz
- serverxlogs21[.]xyz
Phobos Shell Commands
- vssadmin delete shadows /all /quiet [T1490]
- netsh advfirewall set currentprofile state off
- wmic shadowcopy delete
- netsh firewall set opmode mode=disable [T1562.004]
- bcdedit /set {default} bootstatuspolicy ignoreallfailures [T1547.001]
- mshta C:\%PUBLIC%\Desktop\info.hta
- bcdedit /set {default} recoveryenabled no [T1490]
- wbadmin delete catalog -quiet
- mshta C:\%USERPROFILE%\Desktop\info.hta [T1218.005]
- mshta C:\info.hta
Phobos Registry Keys
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Phobos exe name>
- C:/Users\Admin\AppData\Local\directory
Phobos actor email addresses
See here the complete list of emails used in Phobos ransomware attacks.
Phobos actor Telegram username
@phobos_support
See the rest of the Phobos IoCs list on the CISA advisory page.
Phobos ransomware TTPs
CISA warns Phobos affiliates rely heavily on phishing campaigns for reconnaissance and initial access to vulnerable networks.
They also actively search for exposed Remote Desktop Protocol (RDP) ports, which they compromise by using brute force tools.
Once they find a breach, the hackers try to escalate privileges by running commands like 1saas.exe or cmd.exe.
These executables will install Phobos payloads with elevated privileges enabled. To obfuscate their presence inside the network, the hackers use commands like netsh firewall set opmode mode=disable to change firewall configurations.
Additionally, Phobos actors can evade detection by using the following tools: Universal Virus Sniffer, Process Hacker, and PowerTool.
Source – CISA advisory AA24-060A
What CISA recommends against Phobos ransomware
Poorly secured RDP ports are a constant cause of system breaches. So, there’s no surprise that CISA flags them as the first thing to solve in the fight against ransomware. To mitigate the risk of hackers using RDP ports for a ransomware attack:
- Regularly check the network for systems using RDP
- Shut down unused RDP ports
- Block access after a specified number of failed attempts to prevent a brute force attack
- Use multifactor authentication (MFA).
- Log RDP login attempts
Prioritizing vulnerabilities and patching in time are next on the list. Last but not least, CISA says organizations should use an EDR solution to disrupt memory allocation techniques.
What I would add to this shortlist is a DNS filtering solution. Phobos hackers use phishing campaigns as an attack vector. So, blocking any communication to and from a potentially malicious link saves lots of stress and resources.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;