Elbie

Elbie is a variant of the Phobos malware, a malicious software designed to infiltrate and damage computer systems. It typically infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Based on our analysis, Elbie, along with Eking, Eight, Devos, and Faust, are the most common variants of Phobos, appearing frequently across the samples we analyzed. In early 2023, cybersecurity firm Talos observed an intrusion associated with the Elbie variant of Phobos. The threat actor in this instance targeted an organization's exchange server before moving laterally within the system. The attacker attempted to compromise additional server-side infrastructure including backup servers, database servers, and hypervisor hosts. This demonstrates the sophisticated tactics, techniques, and procedures employed by the threat actors using the Elbie variant. The Elbie variant, like other Phobos variants, uses various email domains for its operations. These include but are not limited to gmx.com, tutanota.com, aol.com, onionmail.org, protonmail.com, zohomail.eu, cock.li, and mailfence.com. In addition, some unique identifiers such as ICQ@HONESTHORSE and ICQ@VIRTUALHORSE were also linked to these intrusions. Recognizing these patterns in communication can help in detecting and mitigating threats posed by Elbie and other similar malware.