8Base ransomware stays unseen for a year

• Comes to victims via SmokeLoader malware
• Sample is a PE32 file, written in C\C++
  
• Modified version of Phobos ransomware
  
• Encrypts users' files with AES-256-CBC cipher
  
• Writes IV and encrypted AES key to the end of encrypted files
  
• Data leak site shares similarities with the RansomHouse site
  

8Base ransomware was first spotted in June 2023, with a massive number of targeted victims. It was later discovered that 8Base originated in March 2022 with the launch of an associated data leak site. 8Base also has a Twitter account, which was created in 2014. In the account’s pinned post, the threat actors announced the publication of leaked data from the past year's operation, indicating that in addition to encrypting user files, the group has also exfiltrated data to its own servers.

To deliver 8Base ransomware to the victims' machines, threat actors used SmokeLoader, a botnet that is very popular for ransomware attacks. In addition to malware downloading capabilities, SmokeLoader also has a backdoor function that allows threat actors to exfiltrate victims' data.

The 8Base ransomware sample is a PE32 file, written in C\C++. The compilation timestamp ‘2022-06-23’ matches the start of gang operations. As was mentioned before, its activity was spotted only in June 2023, so this sample remained unseen until this moment.

At the start of execution, 8Base decrypts some executable code, loads it to the ‘eax’ register, and calls it.

While the sample file doesn't have a lot of imports, during execution, it loads separated parts of import names and saves them to local variables for further use.

Here are some imports used to work with files, loaded during execution:

kernel32_FindClose
kernel32_FindNextFileW
kernel32_SystemTimeToFileTime
kernel32_FindFirstFileW
kernel32_MoveFileW
kernel32_GetFileSizeEx
kernel32_SetFilePointerEx
kernel32_SetEndOfFile
kernel32_SetFilePointer
kernel32_GetLogicalDrives
kernel32_CopyFileW
kernel32_GetFileAttributesW
kernel32_ReadFile
kernel32_WriteFile

8Base then loads the mutex name and checks if it already exists. If so, it will terminate execution; if not, it creates a mutex and a new process of itself with the ‘CreateProcessW’ function.

Before encrypting files, 8Base takes some preparatory steps. First, it copies itself to three different folders on the system:

C:\Users\Flare\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\mtx777.exe
C:\Users\Flare\AppData\Local\mtx777.exe

Next, it creates new Registry keys to enable itself to auto-start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtx777
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtx777

It modifies some keys, responsible for internet policy:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect 0

8Base then uses the ‘Wow64DisableWow64FsRedirection’ function to disable file system redirection.

It executes some commands to delete shadow copies, backup catalogs, change BootStatusPolicy and disable Recovery Mode.

vssadmin  delete shadows /all /quiet
wmic shadowcopy delete
bcdedit  /set {default} bootstatuspolicy ignoreallfailures
bcdedit  /set {default} recoveryenabled no
wbadmin  delete catalog -quiet

It also executes the following commands to disable the firewall:

netsh  advfirewall set currentprofile state off
netsh  firewall set opmode mode=disable

8Base begins searching for available drives on the system with ‘GetLogicalDrives’ and obtains information about them.

Then it starts creating encryption threads:

To search files on the drive, 8Base uses the ‘FindFirstFileW’ and ‘FindNextFileW’ functions. During encryption, it skips the ‘C:\Windows’ folder, files with its own extension, and ransom note files. Other found files are given to the encryption thread.

The encryption thread opens the file, gets its attributes, and reads its context.

Before starting encryption, 8Base creates a new file with a new extension:

<Original file name and extension>.id[<Unique victim ID>].[<Threat actors email>].8base

Next, it transfers data to the encryption function, which uses the AES-256 algorithm in CBC mode. The IV keys are generated randomly during execution and will later be written to the encrypted file. To encrypt the AES key, it uses the RSA algorithm, making this encryption pretty strong. The encryption algorithms are hardcoded and don't use any crypto imports.

After encrypted data is written, 8Base takes one further step — it encrypts the AES key and writes it to the end of the file with the IV key.

With the encryption process completed, we can analyze the file structure.

The first written data in the file is encrypted data. Next, there is a block of data, which is typical for Phobos family ransomware. First, there are 20 bytes of ‘00’ (red line), which are used as a separator between encrypted data and this block. Then there are 16 bytes of IV key, which is different for each encrypted file (green line). Finally, the last block (yellow lines) is an encrypted AES key, which is similar for all files, encrypted in one session.

The ransom note files ‘info.hta’ and ‘info.txt’ are dropped after the completed encryption process in ‘C:\’ and ‘C:\User\User\Desktop.’

While the ransom notes don’t have a link to the data leak site, the threat actor’s Twitter account does:

http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/

This site contains the main page with the most recent victims of 8Base ransomware, a page for contacting the threat actors, a FAQ, and a “Rules” page.

The data leak site shares a lot of similarities to the RansomHouse group site, but it is still not clear whether these two groups are connected to each other or whether the 8Base threat actors have simply borrowed their site design.

8Base ransomware successfully stayed unseen for almost a year before it was spotted with a large spike of targeted victims. On their Twitter account, the threat actors actively publish news, including info about recently breached victims.

The sample that was analyzed is a customized version of the Phobos ransomware, which encrypts users' files with AES-256-CBC algorithm, and utilizes SmokeLoader to bring malware to targeted systems.

The most interesting question here is about a potential connection between 8Base and another ransomware group (RansomHouse), as their data leak sites share a lot of similarities.