Ransomware Series #3 - Phobos
A brief profile on Phobos Ransomware w/ Sample Detection Rules
Welcome to the third entry in the Ransomware Group series! Just like before, we’ll start with some quick background information on the threat group and include links to IOC’s/more detailed analysis. Then we’ll dive into some tactics, techniques, and procedures (TTP’s) mapped to the MITRE ATT&CK framework - along with basic detection strategies (Snort & Sigma rules).
Past entries in this series:
Reminder: It goes without saying that a holistic security program is needed and defense in depth strategies should be followed. I’ll be focusing more on detection strategies since these often get overlooked (plus they’re more interesting to me).
What is Phobos?
Phobos is a Ransomware family/variant that operates in a Ransomware-as-a-Service (RaaS) model - with ties to other variants such as Elking, Eight, Devos, Backmydata, and Faust ransomware. Phobos was first observed in early 2019 and has slowly established itself as one of the more prevalent Ransomware variants in existence today.
The group has risen to prominence by causing major disruptions across multiple industries, including “municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars”. Their profile has recently risen by targeting victims in Critical Infrastructure - leading to a joint advisory being published by the FBI, CISA, and MS-ISAC. Organizations in these same industries should be aware of Phobos Ransomware and the common TTP’s that they employ.
To learn more about Phobos IOC’s and deeper technical analysis, see these links below:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
https://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware
https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/
TTP/Detection Strategies
We’ll be covering a few of the observed TTP’s and will map them to the MITRE ATT&CK framework. After each TTP, some basic detection strategies will be listed along with sample rules (Snort/Sigma).
Disclaimer: It is critical to understand your network environment when creating detection rules - make sure to test and tune any new rule in a non-production environment.
Initial Access
External Remote Services - T1133 (Link for more info)
Phobos actors may leverage external-facing remote services to initially access and/or persist within a network.
Detection Strategy - T1133
As we saw with LockBit, many threat actors target Remote Desktop Protocol (RDP) for initial access - including Phobos. It is crucial that RDP not be exposed to the Internet as this leaves the door open for a brute force or stolen credential intrusion.
Here is a sample Snort rule to detect an attempted external RDP connection:
#Rule to to detect external connection made from an external source
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"External RDP Connection Attempt Detected"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|E0|"; within:1; distance:1; sid:1000001; rev:1;)For more information on how to write Snort rules, read through this link.
Execution/Impact
Windows Management Instrumentation/Inhibit System Recovery - T1047/T1490 (Link1 and Link2 for more info)
Phobos actors used Windows Management Instrumentation command-line utility (WMIC) to prevent victims from recovering files.
Detection Strategy - T1047/T1490
Like most other Ransomware variants, Phobos attempts to delete shadow copies in order to prevent file recovery. The command observed being used to execute this via WMIC is:
wmic shadowcopy deleteHere is an excellent Sigma rule that will detect multiple types of Shadow Copies Deletion with different OS Utilities (including WMIC):
title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://blog.talosintelligence.com/2017/05/wannacry.html
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://github.com/Neo23x0/Raccine#the-process
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019/10/22
modified: 2022/11/03
tags:
- attack.defense_evasion
- attack.impact
- attack.t1070
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection1_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- '\diskshadow.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wmic.exe'
- 'VSSADMIN.EXE'
- 'diskshadow.exe'
selection1_cli:
CommandLine|contains|all:
- 'shadow' # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
- 'delete'
selection2_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection2_cli:
CommandLine|contains|all:
- 'delete'
- 'catalog'
- 'quiet' # will match -quiet or /quiet
selection3_img:
- Image|endswith: '\vssadmin.exe'
- OriginalFileName: 'VSSADMIN.EXE'
selection3_cli:
CommandLine|contains|all:
- 'resize'
- 'shadowstorage'
CommandLine|contains:
- 'unbounded'
- '/MaxSize='
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
- LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: highPersistence
Registry Run Keys / Startup Folder - T1547.001 (Link for more info)
Phobos ransomware has been observed using Windows Startup folders and Run Registry Keys for persistence.
Detection Strategy - T1547.001
This same technique is used by many types of malware and threat actors to establish/maintain persistence. Its important to have a detection rule in place to identify this type of behavior.
See this Sigma rule as a good reference point, it attempts to filter out false positives but many legitimate programs can and will trigger this type of rule:
title: CurrentVersion Autorun Keys Modification
id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsoletes
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2023/08/17
tags:
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
current_version_keys:
TargetObject|contains:
- '\ShellServiceObjectDelayLoad'
- '\Run\'
- '\RunOnce\'
- '\RunOnceEx\'
- '\RunServices\'
- '\RunServicesOnce\'
- '\Policies\System\Shell'
- '\Policies\Explorer\Run'
- '\Group Policy\Scripts\Startup'
- '\Group Policy\Scripts\Shutdown'
- '\Group Policy\Scripts\Logon'
- '\Group Policy\Scripts\Logoff'
- '\Explorer\ShellServiceObjects'
- '\Explorer\ShellIconOverlayIdentifiers'
- '\Explorer\ShellExecuteHooks'
- '\Explorer\SharedTaskScheduler'
- '\Explorer\Browser Helper Objects'
- '\Authentication\PLAP Providers'
- '\Authentication\Credential Providers'
- '\Authentication\Credential Provider Filters'
filter_all:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
- Image|endswith:
- '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
- '\AppData\Roaming\Spotify\Spotify.exe'
- '\AppData\Local\WebEx\WebexHost.exe'
- Image:
- 'C:\WINDOWS\system32\devicecensus.exe'
- 'C:\Windows\system32\winsat.exe'
- 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
- 'C:\Program Files\Everything\Everything.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
filter_logonui:
Image: 'C:\Windows\system32\LogonUI.exe'
TargetObject|contains:
- '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\' # PIN
- '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\' # fingerprint
- '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\' # facial recognizion
- '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\' # Trusted Signal (Phone proximity, Network location)
filter_edge:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
filter_dropbox:
Image: 'C:\Windows\system32\regsvr32.exe'
TargetObject|contains: 'DropboxExt'
Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
filter_opera:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
filter_itunes:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
filter_zoom:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
filter_greenshot:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
Details: 'C:\Program Files\Greenshot\Greenshot.exe'
filter_googledrive1:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
Details|contains: '\GoogleDriveFS.exe'
filter_googledrive2:
TargetObject|contains: 'GoogleDrive'
Details:
- '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
- '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
- '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
- '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
filter_onedrive:
Details|startswith:
- 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
- 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|contains: '\AppData\Local\Microsoft\OneDrive\'
filter_python:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
Details|contains|all:
- '\AppData\Local\Package Cache\{'
- '}\python-'
Details|endswith: '.exe" /burn.runonce'
filter_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_defender:
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
filter_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart '
filter_ctfmon:
Image: 'C:\Windows\system32\userinit.exe'
Details: 'ctfmon.exe /n'
filter_AVG:
Image|startswith: 'C:\Program Files\AVG\Antivirus\Setup\'
Details:
- '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
- '{472083B0-C522-11CF-8763-00608CC02F24}'
filter_aurora_dashboard:
Image|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
filter_everything:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
condition: all of current_version_* and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Defense Evasion
Disable or Modify System Firewall - T1562.004 (Link for more info)
Phobos ransomware has been observed bypassing organizational network defense protocols through modifying system firewall configurations and/or disabling the Windows Firewall.
Detection Strategy - T1562.004
The technique of disabling the Windows Firewall is common with many different Ransomware variants. A rule to detect disabling of the firewall should be in place whether your organization uses it or not, because either way it represents suspicious activity (unless an Administrator is doing this for a reason). These are the commands observed being used by Phobos to disable the firewall:
netsh advfirewall set currentprofile state off
netsh firewall set opmode mode=disableHere is a Sigma rule that would detect these very commands:
title: Firewall Disabled via Netsh.EXE
id: 57c4bf16-227f-4394-8ec7-1b745ee061c3
status: test
description: Detects netsh commands that turns off the Windows firewall
references:
- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall
author: Fatih Sirin
date: 2019/11/01
modified: 2023/02/13
tags:
- attack.defense_evasion
- attack.t1562.004
- attack.s0108
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli_1:
# Example: netsh firewall set opmode disable
CommandLine|contains|all:
- 'firewall'
- 'set'
- 'opmode'
- 'disable'
selection_cli_2:
# Example: netsh advfirewall set currentprofile state off
CommandLine|contains|all:
- 'advfirewall'
- 'set'
- 'state'
- 'off'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Legitimate administration activity
level: mediumExfiltration
Exfiltration to Cloud Storage - T1567.002 (Link for more info)
Phobos threat actors use Mega.io to exfiltrate data to a cloud storage service rather than over their primary command and control channel.
Detection Strategy - T1567.002
Exfiltration is a major concern, especially in the event of a Ransomware attack. Many Ransomware groups will exfiltrate sensitive data and threaten to release it unless an extortion fee is paid. With that said, there are many different methods used to carry out this behavior and in turn many different detection strategies possible. I have included an example rule below - this specific Sigma rule will detect DNS queries for subdomains related to the MEGA sharing site.
title: DNS Query To MEGA Hosting Website
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
related:
- id: 66474410-b883-415f-9f8d-75345a0a66a6
type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021/05/26
modified: 2023/09/18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: 'userstorage.mega.co.nz'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Mega
level: mediumMalware Detection
Ensure that your Anti-Virus (or other endpoint tool of choice) has signature based detections in place to identify the Phobos related payloads.
Closing
These were just a few of the common TTP’s that the Phobos group and affiliates use. As we have seen, having detections all along the MITRE ATT&CK framework help to catch attacks at every stage, increasing the likelihood that at least 1 stage of an attack can be detected.
Quick Note: I’ll be shifting my post schedule to every other week - I have some other projects in the works and need to spread out my time a little differently. Thanks for understanding.