Security researchers recently discovered a new variant of the popular Phobos ransomware family named FAUST.
Phobos, which first appeared in 2019, encrypts files on victims’ computers and demands a cryptocurrency ransom for the decryption key.
According to an advisory published by FortiGuard Labs last Thursday, the FAUST variant was found in an Office document using a VBA script to spread the ransomware.
As part of the campaign, the attackers used the Gitea service to store malicious Base64-encoded files. When injected into a system’s memory, these files launch a file encryption attack.
FortiGuard Labs’ analysis revealed a multi-step attack flow, from execution of the VBA script to deployment of the FAUST payload.
“Macros remain a dangerous part of malware delivery because VBA provides functionality that many businesses use for everyday applications,” said John Bambenek, president of Bambenek Consulting.
“The safest way to combat this threat is to completely disable VBA in Office. However, if this is not an option, organizations can at least disable “high risk” features in VBAs using Windows Defense attack surface reduction, for example by preventing office applications from create child processes or create executable content.
From a technical point of view, FAUST ransomware exhibits persistence mechanisms, adding a registry entry and copying itself to specific startup folders.
It searches for a Mutex object to ensure that only one process is running and contains an exclusion list to avoid double encryption of specific files or encryption of its ransom information. The encrypted files have the extension “.faust” and victims are asked to contact the attackers via email or TOX message to negotiate a ransom.
Learn more about Phobos variants: 8Base Ransomware Group emerges as a major threat
The research highlights the threat of fileless attacks and the need to be careful when opening document files from untrusted sources.
“While user awareness and caution are crucial aspects of cybersecurity, a layered defense approach is necessary. Individuals should be careful with attachments and links. Only open attachments or click on links from trusted sources and be wary of unexpected emails,” warned Sarah Jones, cyberthreat research analyst at Critical start.
“In addition, it is essential to regularly update your operating system, applications, and firmware to patch vulnerabilities that attackers can exploit. Additionally, individuals should ensure their passwords are strong and unique and enable two-factor authentication whenever possible to add an extra layer of security.