A glance at the distribution process
- SmokeLoader malware employs a three-stage payload decryption process. In the initial stage, numerous random API calls are utilized to obscure the execution flow.
- The subsequent two stages involve shellcode stored in allocated memory. The ultimate binary is exposed during the third stage, where a binary copy of the Windows Portable Executable (PE) data within that memory block yields the final payload in its original form.
Diving into details
- Researchers note that the versions of Phobos released after 2019 use a combination of the AEC-256 algorithm and different random symmetric keys to encrypt files on victims’ systems.
- However, the variant used by the 8Base group includes features that can enable the attackers to establish persistence on victims’ systems, perform speedy encryption, and remove backup and shadow copies.
- Furthermore, it includes advanced features, such as .NET profiler DLL loading vulnerability, API calls, and Cyrillic language, to avoid detection by security products.
Cisco Talos assesses that Phobos is closely managed by a central authority that controls the ransomware’s private encryption key while being sold as a Ransomware-as-a-Service (RaaS) to other affiliates. As threat actors continue to expand Phobos variants, organizations are recommended to keep track of the threats by following the latest IOCs associated with the ransomware.