8Base Group Deploys New Phobos Ransomware Variant via SmokeLoader

Phobos Ransomware

The actors of the threat behind the 8Base ransomware uses a variant of Phobos ransomware to conduct their financial attacks.

The findings come from Cisco Talos, which recorded an increase in the activity carried out by cybercriminals.

“Most of the group’s Phobos variants are distributed by SmokeLoader, a backdoor trojan,” security researcher Guilherme Venere said in a statement. two parts analysis published Friday.

“This commodity loader often drops or downloads additional payloads when deployed. In 8Base campaigns, however, it has a ransomware component embedded in its encrypted payloads, which are then decrypted and loaded into the SmokeLoader process’ memory.”

8Base became a sharp focus in the middle of 2023, when a similar increase in activity was observed in the cybersecurity community. It is said to be active at least since March 2022.

A previous analysis from VMware Carbon Black in June 2023 identified parallels between 8Base and RansomHouse, in addition to discovering a Phobos ransomware sample found using the “.8base” file extension for those who had -encrypt file.

This raises the possibility that 8Base is a successor to Phobos or that the threat actors behind the operation are simply using existing strains of ransomware to carry out their attacks, similar to the Vice ransomware group Society.


The latest findings from Cisco Talos show that SmokeLoader is being used as a launchpad to execute the Phobos payloadwhich immediately takes steps to establish continuity, terminate processes that may keep the target files open, disable system recovery, and delete backups as well as shadow copies.

Another unique feature is full encryption of files below 1.5 MB and partial encryption of files above the threshold to speed up the encryption process.

In addition, the artifact includes a configuration with more than 70 options encrypted with a hard-coded key. The configuration opens additional features such as User Account Control (UAC) bypass and report the victim’s infection to an external URL.

There is also a hard-coded RSA key used to protect each file AES key used for encryption, which Talos says helps decrypt files locked by ransomware.

“Once each file is encrypted, the key used for encryption along with additional metadata is then encrypted using RSA-1024 with a hard-coded public key, and stored until the end of file,” added Venere.

“This means, however, that once the private RSA key is known, any file encrypted by any variant of Phobos since 2019 can be reliably decrypted.”

Phobos Ransomware

Phoboswhich first emerged in 2019, is an evolution of the Dharma (aka Crysis) ransomware, which is the ransomware most commonly displayed as variants Eking, Eight, Elbie, Devos, and Faust, based on the number of artifacts found on VirusTotal.

“The samples all have the same source code and are configured to avoid encryption of files already locked by other Phobos affiliates, but the configuration changes slightly depending on the variant deploy,” said Venere. “This is based on a file extension block list in the ransomware’s configuration settings.”

Cisco Talos assessed that Phobos is tightly managed by a central authority, while being sold as a ransomware-as-a-service (RaaS) to other partners based on the same RSA public key, the changes or in contact emails, and regularly update ransomware extension block lists.

“Extension blocklists appear to tell a story of which groups are using the same base sample over time,” Venere said.

“The extension block lists found in many Phobos samples (…) are continuously updated with new files locked in previous Phobos campaigns. This may support the idea that there is a central authority behind the builder keeping track of who has used Phobos in the past. The intent is to prevent Phobos partners from interfering with each other’s operations.”

The improvement comes as FalconFeeds exposed that a threat actor advertises a sophisticated ransomware product called UBUD that is developed in C and has “strong anti-detection measures against virtual machines and debugging tools .”


It also follows a formal complaint filed by the BlackCat ransomware group with the US Securities and Exchange Commission (SEC), which says one of its victims, MeridianLink, failed to comply with the new disclosure regulations requiring affected companies to report incidents within four businesses. day, DataBreaches.net reported.

The financial software company has since confirmed that it was the target of a cyber attack on November 10, but noted that it found no evidence of unauthorized access to its systems.

While the SEC’s disclosure rules don’t take effect until next month on December 18, the unusual pressure tactic is a sign that threat actors are keeping a close eye on the space and are ready to turn on those government regulation for their benefit and force the victims to pay.

That said, it’s worth noting that the enforcement will exclusively apply to situations where companies know the attacks will have a “material” impact on their bottom lines.

Another prolific ransomware gang LockBit, meanwhile, has established new negotiation rules starting in October 2023, which mentions less expected settlements and bigger discounts offered to victims due to “different levels of peer experience.”

“Make a minimum ransom request depending on the company’s annual income, for example 3%, and prohibit discounts of more than 50%,” the LockBit operators said, according to a detailed report from Analyst1.

“Therefore, if the company’s revenue is $100 million USD, the initial ransom request should start from $3 million USD with the final payment not less than $1.5 million USD.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment