Rewterz Threat Alert – The EKING Variant of Phobos Ransomware

Severity

Medium

Analysis Summary

New variants of the Phobos ransomware keep coming out that not only evolve attack methods, but also frequently change the extension name of encrypted files in past variants. And in its short history, its victims have often complained that they were cheated by the attacker of Phobos by not restoring files. A new threat sample discovered from the wild is reported to distribute a new Phobos variant. It was a Microsoft Word document with a malicious Macro designed to spread the EKING variant of Phobos. This variant infects victim’s system and scans and encrypts files using an AES algorithm on a victim’s device as well as shared network folders. After opening the Word document, it displays a warning that directs the victim to click an “Enable Content” button on the yellow bar to enable Macros. Since Macros can contain malicious code, MS Office Word by default displays a Security Warning that warns users that the document could be risky. The user can then decide whether or not to execute the Macro.

However, the document warning screen is a ruse. The Macro code has a built-in event function named Document_Close(), which is invoked automatically when MS Office Word exits. In other words, the malicious Macro code is executed when the victim closes the document. This also has the benefit of bypassing detection by some sandbox solutions. The code of the Macro is simple and clear. It extracts a base64-encoded block from the opened sample into a local file at “C:\Users\Public\Ksh1.xls”. It then decodes the file into another file by calling the command “Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf”. The final task of the Macro is to execute the decoded PE file “Ksh1.pdf” by executing the command “Rundll32 C:\Users\Public\Ksh1.pdf,In”. This variant of the ransomware not only scans files on logical drives, but also network sharing resources and new attached logical drives. It uses multiple threads to finish its work. The main thread of Phobos waits for all scan threads and encryption threads to finish their work. It then drops two files, info.hta (html version ransom information) and info.txt (text version ransom information), onto the Desktop as well as into the root directory of available logical drives on the victim’s system. Below is the ransom note sent to victims.

Impact

• Files Encryption
• Security Bypass
• Data Loss

Indicators of Compromise

MD5

• 6dbdd1efcab25eaaec2217e9bcbf0718
• be13334c44f2e0331a6d1d6460ff9359
• 6d6f7813a70f6aa72c2f640ce28dcefa
• c773128bfe2a0b16cc892d89a1a46da6
• 583f53d28cbcf6f47b89ca8a3c13a583
• 97905289b5c3b70769c8edc70c9cb663
• 79524b39ffe4dfa5a42fb2998f3cbba3

SHA-256

• 667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83
• 6e9c9b72d1bdb993184c7aa05d961e706a57b3becf151ca4f883a80a07fdd955
• 16b2a044c3f73b57154553f955234fe0180d0dd3efc93cc021d746fc2cb6cca0
• 6afec454918c2ea115499359848fe7826a0675d7e1721d56436a08364d3c110b
• fdf2ce98e310a4ef63ac5c4d8bf2976023c547d3c28ef1f84f752ccf864be8ed
• b451b884612f400dca31813c295539306ae32b86b558e64e39b07f881bfbe3a4
• 95f1604f048d3dfbb92a87b4397e540af0fe9787e106d4a2376a9f766f56595d

SHA1

• 8d4782e50282a81c38aed151882647c0ebb3269d
• 94cb40f0a8b5957d481f73ae7b4ad890a11eb8d2
• c28f74f775a1eef9873b0eed61f12bafffa2a71b
• 7513a53a810eec6c06af580978c24df976ebf428
• c8b84a37191b4d1a5dc3cf9c78b89525d6b78ee0
• 3388452dc9655ee89f8f656524d17207d3ed020d
• 905bfbf78d3f7020407a364844117fb47266df71

URL

• http[:]//178[.]62[.]19[.]66/campo/v/v

Remediation

• Block the threat indicators at their respective controls.
• Do not download email attachments coming from untrusted sources.