New variants of the Phobos ransomware keep coming out that not only evolve attack methods, but also frequently change the extension name of encrypted files in past variants. And in its short history, its victims have often complained that they were cheated by the attacker of Phobos by not restoring files. A new threat sample discovered from the wild is reported to distribute a new Phobos variant. It was a Microsoft Word document with a malicious Macro designed to spread the EKING variant of Phobos. This variant infects victim’s system and scans and encrypts files using an AES algorithm on a victim’s device as well as shared network folders. After opening the Word document, it displays a warning that directs the victim to click an “Enable Content” button on the yellow bar to enable Macros. Since Macros can contain malicious code, MS Office Word by default displays a Security Warning that warns users that the document could be risky. The user can then decide whether or not to execute the Macro.
However, the document warning screen is a ruse. The Macro code has a built-in event function named Document_Close(), which is invoked automatically when MS Office Word exits. In other words, the malicious Macro code is executed when the victim closes the document. This also has the benefit of bypassing detection by some sandbox solutions. The code of the Macro is simple and clear. It extracts a base64-encoded block from the opened sample into a local file at “C:\Users\Public\Ksh1.xls”. It then decodes the file into another file by calling the command “Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf”. The final task of the Macro is to execute the decoded PE file “Ksh1.pdf” by executing the command “Rundll32 C:\Users\Public\Ksh1.pdf,In”. This variant of the ransomware not only scans files on logical drives, but also network sharing resources and new attached logical drives. It uses multiple threads to finish its work. The main thread of Phobos waits for all scan threads and encryption threads to finish their work. It then drops two files, info.hta (html version ransom information) and info.txt (text version ransom information), onto the Desktop as well as into the root directory of available logical drives on the victim’s system. Below is the ransom note sent to victims.