By Caique Barqueta: The 8base ransomware group first came to prominence in early March 2022, remaining relatively quiet after only a few attacks. They act like the other ransomware groups, by means of double extortion (encryption + data leakage).
In mid-May and June 2023, the operation had a spike in activity against organizations from various sectors listing 107 organizations so far, sometimes announcing as many as 6 organizations per day.
8base's data leak site was published in May 2023, claiming to be "honest and straightforward," further adding that "We are honest and straightforward pentesters. We offer companies the fairest terms for the return of their data."
They also add that "current vulnerabilities will never be used by the team for further attacks. If new vulnerabilities are discovered, the company will be notified.
In addition to the blog, the Ransomware group has a Twitter profile.
Suspicions and identified analyses
The VMware team published a report stating that the 8Base ransomware had certain significant similarities RansomHouse ransomware group.
The first similarity noticed would be the comparison of the ransom note using the Doc2Vec neural language processing model. During the analysis, the 8base ransom note had a 99% match with the RansomHouse ransom note.
Also, the blog used by both groups of ransomware appear to be identical.
And not only the main blog page, but also the "Terms of Service" published by both groups.
There are also certain differences, the first being the question of recruitment or partnerships, in which RansomHouse says it is in partnership with other agents, while 8base is not.
Also, the data leakage page of ransomware are distinct.
VMware analysis identified that a sample of the ransomware used by 8Base Ransomware, a sample of Phobos Ransomware with the file extension ".8base" was identified in encrypted files. One of the points that led researchers is that the 8base ransomware would be using varieties and ransomware to target its victims, and in the analysis performed it was found that they would be using Phobos Ransomware version 2.9.1 with SmokeLoader for initial obfuscation upon entry, unpacking, and loading the ransomware.
Since the Phobos ransomware is available in Ransomware-as-a-Service (RaaS) format, actors can customize the pieces to their needs according to the ransom note.
The difference in the ransom notes was that the Phobos Ransomware adds Jabber instructions and the word "phobos" in the top corner of the window, while 8base has only "cartilage" written in the top corner and no Jabber instruction.
Although the 8base ransomware would have added its own brand customization by attaching ".8base" to the encrypted files, the format of the entire attached part was the same as Phobos, which included an ID section, an email address, and the file extension.
VMware's conclusion is that the 8base ransomware would be using several different types of ransomware, and there is no confirmation whether 8base is a variant or part of the Phobos or RansomHouse ransomware group, but it certainly uses different ransomware and is considered to be one of the most active ransomware in the first half of 2023.
Technical analysis of ransomware
Our intelligence team, Heimdall, has identified a sample of 8base ransomware with a signature (SHA-256: 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb). In consultation with Virus Total, it was possible to identify that the sample is considered potentially malicious by 53 of 70 security solutions, as well as presenting some characteristics of ransomware families, among which it is possible to identify being a variant of the Phobos ransomware family.
This sample was compiled on 05/31/2022, at 05:01:04 UTC using the Microsoft Visual C/C++ compiler with the 32-bit architecture.
It is noted that the 8base ransomware would be using a 2022 sample as an attack for organizations. It was also observed that the ransomware does not have a high entropy rate, remaining in the 6.0 range.
For execution, the ransomware required the user to be authorized via UAC (User Account Control), meaning that privileges were needed to perform its normal data encryption routine.
Upon execution the ransomware calls a subprocess which is responsible for creating two other processes, in this case we will present the process tree that the ransomware calls.
PID: 7612
Command usage:
\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
PID: 6032
Command usage:
vssadmin delete shadows /all /quiet
This command corresponds to deleting all existing shadow copies on a Windows system. Therefore, the command refers to:
- vssadmin: Windows command line utility used to manage the shadow copies created by VSS;
- delete shadows: indicates that you want to perform the deletion of the shadow copies;
- /all: Specifies that all shadow copies should be deleted;
- /quiet: Sets silent mode, i.e. will not display any messages or confirmations during the deletion process.
PID:184
Using WMIC (Windows Management Instrumentation Command-Line) to delete copies of Windows shadows.
wmic shadowcopy delete
PID: 10036
Used the Windows bcdedit tool to modify the Windows startup configuration related to command startup failures:
bcdedit /set{default} bootstatuspolicy ignoreallfailures
PID: 5404
Using the Windows bcdedit tool to disable the Windows automatic recovery option. If you use this setting as the "no" option, Windows will not automatically start the recovery environment when it encounters critical errors during startup.
bcdedit /set{default} recoveryenabled no
PID:1296
Using the wbadmin tool to delete the Windows Server Backup catalog on a Windows system using silent mode.
wbadmin delete catalog -quiet
In the sequence, PID 9000 is created by process PID9428, which performed the creation of other processes in the system, such as:
PID:4412
Using conhost.exe, via the command, force execution with the value 1 and the force option.
\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
PID:7564
The command that started the PID7564 process is a command used to disable the Windows firewall for the network profile currently in use. In general, this turns off the firewall for the specific network profile that is currently active, such as public, private, or domain.
This command requires the use of privileges to run successfully.
netsh advfirewall set currentprofile state off
PID: 4116
Use the command below to completely disable the Windows Firewall, however this command applies to older versions of Windows, such as Windows XP and Windows Server 2003.
netsh firewall set opmode mode=disable
This ransomware executes the routines of the aforementioned processes twice, probably in order to ensure that all commands have been executed correctly.
The ransomware uses the "WerFault.exe" using the parameters -u -p 3740 -s 952. This executable is associated with the Windows error reporting mechanism, i.e., it aims to capture and report information about errors and failures that occur in the operating system, already using such parameters we can state that it should run in user mode (-u), indicates the process that the tool should monitor (-p 3740) and indicates the session ID in which the process is running (-s 952).
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 952
The ransomware performs its encryption process using the AES encryption algorithm and, upon completion, adds the extension file.id[12 random words].[support@rexsdata.pro].[8base ] to the end of each file, as well as dumping the ransom note into the directories it performed the encryption.
It also introduces the redemption note in HTA format into that system by creating 3 processes.
TTPs - MITRE ATT&CK, Indicators of Commitment (IoC) and recommendations
| Tactics | Technique | ID |
| Execution TA0002 | Scheduled Task/Job | T1053 |
| Command and Scripting Interpreter | T1059 | |
| Shared Modules | T1129 | |
| Persistence TA0003 | Scheduled Task/Job | T1053 |
| Boot or Logon Autostart Execution | T1547 | |
| Registry Run Keys/ Startup Folder | T1547.001 | |
| Privilege Escalation TA0004 | Scheduled Task/Job | T1053 |
| Boot or Logon Autostart Execution | T1547 | |
| Registry Run Keys / Startup Files | T1547.001 | |
| Impersonation/Theft Token | T1134.001 | |
| Defense Evasion TA0005 | Obfuscated Files or Information | T1027 |
| Modify Registry | T1112 | |
| Indirect Command Execution | T1202 | |
| Software Packing | T1027.002 | |
| Masquerading | T1036 | |
| Hidden Files and Directories | T1564.001 | |
| File Deletion | T1070.004 | |
| Virtualization/Sandbox Evasion | T1497 | |
| Disable or Modify Tools | T1562.001 | |
| Disable or Modify Tools | T1562.001 | |
| Hidden Files and Directories | T1564.001 | |
| Credential Access TA0006 | OS Credential Dumping | T1003 |
| Input Capture | T1056 | |
| Discovery TA0007 | Process Discovery | T1057 |
| Network Share Discovery | T1135 | |
| System Information Discovery | T1082 | |
| File and Directory Discovery | T1083 | |
| Virtualization/Sandbox Evasion | T1497 | |
| Security Software Discovery | T1518.001 | |
| Lateral Movement TA0008 | Taint Shared Content | T1080 |
| Collection TA0009 | Data from Local System | T1005 |
| Data Staged | T1074 | |
| Input Capture | T1056 | |
| Impact TA0040 | Inhibit System Recovery | T1490 |
| Data Encrypted for Impact | T1486 | |
| Data Destruction | T1485 |
ISH Technology performs the treatment of several indicators of compromise collected through open sources, closed sources and also from analyses performed by the Heimdall security team. In view of this, below we list all Indicators of Compromise (IOCs) related to the analysis of the artifact(s) in this report:
| Analyzed Artifact Commitment Indicators | |
| md5: | 0f281d2506515a64082d6e774573afb7 |
| sha1: | 8949f27465913bf475fceb5796b205429083df58 |
| sha256: | 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb |
| File name: | mtx777.exe |
| Analyzed Artifact Compounding Indicators | |
| md5: | 2809e15a3a54484e042fe65fffd17409 |
| sha1: | 4a8f0331abaf8f629b3c8220f0d55339cfa30223 |
| sha256: | 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c |
| File name: | mtx777.exe |
| 20110ff550a2290c5992a5bb6bb44056 |
| 3d2b088a397e9c7e9ad130e178f885feebd9688b |
| e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0 |
| 5d0f447f4ccc89d7d79c0565372195240cdfa25f |
| 9769c181ecef69544bbb2f974b8c0e10 |
| c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64 |
| 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c |
| afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3 |
Distribution URLs and C2 IP addresses:
| wlaexfpxrs[.]org |
| admhexlogs25[.]xyz |
| admlogs25[.]xyz |
| admlog2[.]xyz |
| dnm777[.]xyz |
| serverlogs37[.]xyz |
| 9f1a.exe |
| d6ff.exe |
| 3c1e.exe |
| dexblog[.]xyz |
| blogstat355[.]xyz |
| blogstatserv25[.]xyz |
Note: The links and IP addresses listed above may be active; be careful when manipulating these IoCs, to avoid clicking on them and becoming a victim of the malicious content hosted on the IoC.
In addition to the indicators listed above, measures can be taken to mitigate the infection of this malware, for example:
- Perform regular backups: Store backup copies of all important data in a secure, disconnected location.
- Performing software updates: Keep all software assets up to date, including operating systems and applications.
- Using network protection such as firewalls, antivirus, and other security measures to protect your network.
- Carrying out awareness work with employees, teaching them to recognize and avoid threats such as phishing and/or clicking on malicious links.
- Regular monitoring of your network and systems to identify and quickly respond to any suspicious activity.
- Creating and implementing an incident response plan, which in case of ransomware attacks can be used and will contain information such as issues related to backups and system recovery.
References
- Heimdall by ISH Technology
- Report VMware: 8Base Ransomware