Rewterz Threat Alert – Sophisticated Cyber Espionage Campaign Used Zardoor Backdoor to Target Islamic Charity in Saudi Arabia – Active IOCs
February 13, 2024Rewterz Threat Advisory – Multiple Microsoft Windows Products Vulnerabilities Exploit in the Wild
February 14, 2024Rewterz Threat Alert – Sophisticated Cyber Espionage Campaign Used Zardoor Backdoor to Target Islamic Charity in Saudi Arabia – Active IOCs
February 13, 2024Rewterz Threat Advisory – Multiple Microsoft Windows Products Vulnerabilities Exploit in the Wild
February 14, 2024Severity
High
Analysis Summary
Phobos Ransomware is based on the Dharma (aka CrySIS) malware that first appeared at the beginning of 2019. It spreads into several systems via compromised Remote Desktop Protocol (RDP) connections. This malware does not use any UAC bypass methods. Unlike other cybercrime gangs that go after big hunts, Phobos creators go after smaller firms that don’t have sufficient funding to pay massive ransoms. This ransomware usually targets healthcare providers, with victims in the United States, Seychelles, Portugal, Brazil, Indonesia, Germany, Romania, and Japan. Its perpetrators demand a little ransom payment, which appeals to victims and enhances the chances of payment. The average Phobos ransom payment in July 2022 was $36,932
Phobos encrypts data & files and keeps them locked until a ransom is paid. All encrypted files are renamed with the “.phobos” extension, as well as the victim’s unique ID and email address.
Impact
- File Encryption
- Data Exfiltration
Indicators of Compromise
MD5
- 3b6c915658b74fe1efa43545d59a8a91
- 4a90ec2653388e6b39ccd4cff499ea81
- 0a2ac806e89db4f6463cb249bb6573e0
- d769b0ac4aad80862799da9f49125c65
- ca52ef8f80a99a01e97dc8cf7d3f5487
SHA-256
- 7f59ae781bd4355ea07450d8aca5f68ae18642b70abbf04f0cd8d72743e059c9
- f776566bb21cf1c7920b721fa7ca8825fed7b5ef8efac97c08ddd9db6d3464ca
- 3a9e40ec775ea58e26cee711dea45748ae36b428183efa366e107c515575b7c6
- b30875400279111ada1a25046c7fa589d4f5770af082121c85210e236abc78ee
- 396a2f2dd09c936e93d250e8467ac7a9c0a923ea7f9a395e63c375b877a399a6
SHA-1
- e0fb405aab45ac201e9b7e70fafab068635048db
- d0ab209576a332fd61f830ea138ad35a2f5237ff
- 5f1757df6e113ae06781578e32c886663158a54b
- fae9a67dfdf023cbe0507e88df710b1c25a7cdfc
- d4bf7b56d1f022e14a870d724e8da274288bc5db
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.