Researchers at Morphisec say Phobos ransomware has been updated with file-less payload delivery and execution and is now more focused on cyber-espionage.
This latest variant of the malware may be especially hard to detect with the new stealthiness features which make it a better fit for its name – Phobos – a moon of Mars. In one case, it took one company eight months to detect ‘Phobos in their network.
The Morphisec researchers analyzed a brute-force attack on one of Morphisec’s clients that took place in March in which the hackers encrypted a backup server and over the eight months of undetected operation, planted several botnets and crypto miners.
Researchers explained how the malware managed to stay undetected for so long. Partly because the initial-fetcher PowerShell script was encoded in base64, and stayed obfuscated when decoded. In addition, ahe attackers used a string replacement service paste.ee to download payloads. Instead of Vapor, as previously, the loader was now obfuscated with an Agile.NET tool.
However, to leave security tools no chance, the hackers used file-less delivery – executed it directly from memory.
Another difference that makes the ransomware more difficult to detect is that the actors are using less privileged folders and avoiding using files with open handles that can affect critical running processes.
In addition, the researchers noticed Phobos authors now avoid re-encrypting files that have been already encrypted by a previous Phobos version, removed a few redundant functions that may cause detection, including ‘netsh’ which was used to disable the firewall.
Researchers conclude that although Phobos is not considered a sophisticated encrypter, its stealthiness capabilities have gone one level up. This may mean that actors are more interested in remaining undetected than in encrypting data. Disrupting the operations of a company seems to be a last-ditch option for a situation when attackers are uncovered, Morphisec researchers believe.
