Cybersecurity researchers have discovered a new variant of the Phobos ransomware family named Faust. This iteration was documented by Fortinet FortiGuard Labs, which detailed its dissemination method involving a Microsoft Excel document (.XLAM) that contains a VBA script capable of executing malicious actions.
The attack initiates when the victim opens the Excel document, which downloads Base64-encoded data hosted on the Gitea platform. This process not only generates a seemingly innocuous XLSX file but also stealthily retrieves an executable disguised as an AVG AntiVirus updater.
According to security researcher Cara Lin, when this binary is introduced into the system, it acts as a downloader. This leads to the launch of another executable, “SmartScreen Defender Windows.exe,” which sets off the file encryption routine utilizing a fileless attack method to implement malicious shellcode directly into memory.
The Faust variant has been linked to several other ransomware versions from the Phobos family, including Eking, Eight, and 8Base, and has been active since 2022. Notably, it does not limit its attacks to specific industries or geographic locations, broadening its target pool.
The identified tactics resonate with several techniques from the MITRE ATT&CK framework. Initial access is facilitated through the malicious Excel document and its embedded script. The potential persistence of this threat is evident, as Faust creates multiple threads for execution and can maintain its presence within an infected environment.
FortiGuard Labs highlights that Faust not only enhances its operational efficiency but also showcases its capability to bypass conventional defenses. The ninja-like execution facilitates multiple malware payloads being delivered and orchestrated silently without raising alarms.
As digital threats evolve, the emergence of Faust aligns with a trend marked by the proliferation of new ransomware families. Noteworthy recent examples include Albabat, DHC, and Kuiper, with the latter attributed to the threat actor known as RobinHood. This new breed of ransomware, particularly Golang-based variants, enhances cross-platform capabilities, allowing attackers to exploit vulnerabilities across different operating systems with minimal adjustments.
The persistence of these emerging threats underscores the urgency for organizations to fortify their cybersecurity measures. A notable trend is a shift among victims who, previously more inclined to pay ransoms, are becoming increasingly resistant to such demands. This evolution reflects a growing awareness of the inefficacy of paying ransoms, with reports indicating a decline in the percentage of victims who opt to pay from 41% to 29% in Q4 2023.
This decreasing trend in ransom payments coincides with a noticeable drop in average payment amounts, further suggesting a shift in dynamics within the ransomware landscape. The average ransom payment plummeted by 33%, indicating that victims are reassessing the value of recovering their data against the risks of compliance and future security breaches.
Experts continue to advocate for proactive measures and robust incident response strategies to mitigate the persistent threat posed by ransomware actors seeking to exploit any vulnerability within business infrastructures. As threats such as Faust become more sophisticated, continuous vigilance and adaptation will be key in combating these cyber adversaries.
