GOLD EQUINOX
Objectives
Tools
SUMMARY
GOLD EQUINOX is a financially motivated crime group that distributes Phobos ransomware. Phobos is likely descended from Dharma ransomware, which was operated by the GOLD ORION threat group before its source code was advertised for sale on an underground forum in 2019.
GOLD EQUINOX likely operates Phobos as ransomware-as-a-service, using affiliates to gain access to networks and deploy malware. As Phobos ransomware is not operated as a name-and-shame scheme, no data is exfiltrated in advance of ransomware deployment. Affiliates use scan-and-exploit to identify and compromise systems, relying heavily on remote desktop protocol (RDP) for access. They also use RDP to move laterally once on the network, and deploy the ransomware on individual hosts rather than relying on centralized distribution via group policy objects or active directory domain services. As a consequence, distribution of Phobos ransomware is less comprehensive than that of other variants but the dwell time before deployment is short; CTU researchers have observed the encryption of hosts within an hour of gaining initial access. Despite the relatively narrow distribution of the ransomware, Phobos deployment can still have a highly damaging impact on business operations.
CTU researchers have observed an affiliate use legitimate off-the-shelf tools for reconnaissance, including Advanced IP Scanner, Advanced Port Scanner, Process Hacker, Mimikatz and the Everything utility, before encrypting the folders storing these tools in order to cover their tracks. In addition, the Phobos ransomware executable has been saved to Startup directories on hosts to ensure execution on user logon. Phobos deployment has been observed encrypting files with .eight, .elbie and .eking extensions.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.