Security researchers have recently uncovered a new variant of the notorious Phobos ransomware family named FAUST.
Phobos, which first emerged in 2019, encrypts files on victims’ computers and demands a ransom in cryptocurrency for the decryption key.
According to an advisory published by FortiGuard Labs last Thursday, the FAUST variant was found in an Office document utilizing a VBA script to propagate the ransomware.
As part of the campaign, the attackers employed the Gitea service to store malicious files encoded in Base64. When injected into a system’s memory, these files initiate a file encryption attack.
The FortiGuard Labs analysis revealed a multi-stage attack flow, from VBA script execution to the deployment of the FAUST payload.
“Macros remain a dangerous part of malware delivery because VBA provides functionality that many companies use for day-to-day applications,” explained John Bambenek, president at Bambenek Consulting.
“The safest way to deal with this threat is to disable VBA in Office entirely. However, if that’s not an option, organizations can at least disable ‘high-risk’ functionality in VBAs using Windows Defense Attack Surface Reduction, such as preventing office applications from creating child processes or from creating executable content.”
From a technical standpoint, FAUST ransomware exhibits persistence mechanisms, adding a registry entry and copying itself to specific startup folders.
It checks for a Mutex object to ensure only one process is running, and it contains an exclusion list to avoid double-encrypting specific files or encrypting its ransom information. The encrypted files carry the “.faust” extension, and victims are instructed to contact the attackers via email or TOX message for ransom negotiations.
The research underscores the threat of fileless attacks and the need for user caution when opening document files from untrusted sources.
“While user awareness and caution are crucial aspects of cybersecurity, a layered approach to defense is necessary. Individuals should be cautious with attachments and links. Only opening attachments or clicking on links from trusted sources and be wary of unexpected emails,” warned Sarah Jones, cyber threat intelligence research analyst at Critical Start.
“Additionally, regularly updating your operating system, applications, and firmware to patch vulnerabilities attackers can exploit is critical. Furthermore, individuals need to ensure their passwords are strong and unique and enable two-factor authentication whenever possible to add an extra layer of security.”