Google Threat Analysis Group: They use multiple platforms to communicate, a blog as a lure, and a novel social engineering technique.
360 Total Security: There is a new variant of Phobos ransomware on the wild. It has been upgraded in many aspects, such as camouflaging the encrypted function module, bypassing the security protection mechanism, and local persistence
There is a new variant of Phobos ransomware on the wild. It has been discovered by 360 Total Security cyber security experts. The malware uses software such as system activation tools as a carrier to induce users to download and install, steal the user’s machine information, and further pass the Trojan C&C server Download encryption related programs and implement Bitcoin ransomware. In just over a week, the variant has spread to more than ten countries. The cybercrime malicious code first appeared in December 2018, and it was named after the suffix Phobos was added to encrypted files. Compared with the previous version, the variant has been upgraded in many aspects, such as camouflaging the encrypted ransomware function module, bypassing the security protection mechanism, and local persistence.
How the malware works according the cyber security experts
According the cyber security experts, once the user is induced to download and run, disguised as the first layer of “sheepskin” powershell script, another powershell script will be downloaded and executed pps.ps1, pps.ps1 will decrypt and release the base64-encrypted exe file data to %userprofile% In the directory and loaded, the exe implements the theft of the victim’s computer information and further downloads the encrypted ransom related files through the Trojan C&C server. After the file is encrypted, the Phobos ransomware variant will add a specific suffix. At the same time, it will release files named info.hta and info.txt as blackmail letters in the desktop directory and disk root directory of the victim’s computer. By calling the info.hta program with the same text content as info.txt, the box titled “All your files have been encrypted” will inform the victim of the cybercime’s contact information and the Bitcoin ransom payment method.