Security researchers have discovered a new variant of Phobos ransomware in the wild that uses an Office document for propagation. Named FAUST, the ransomware is the latest iteration of the Phobos family after Eking, Eight, Elbie, Devos, and 8Base.
Infection chain
According to Fortinet Labs, the attack chain commences with an XLAM document that contains an embedded VBA script.
Accessing the doc triggers a PowerShell command to download Base-64 encoded data from the Gitea service, to be saved in an XLSX file.
This file stealthily retrieves an executable that masquerades as an updater for the AVG antivirus software.
The executable acts as a downloader and launches another executable, named SmartScreen Defender Windows.exe, which kickstarts the encryption process by employing a fileless attack to deploy the malicious code.
Capabilities of FAUST ransomware
The ransomware appends the .faust extension to each encrypted file and generates info.txt and info.hta within the directories, which serve as a means to establish contact with the attackers for ransom negotiations.
To prevent damaging the systems and ensure that ransom information isn’t encrypted, FAUST ransomware excludes certain file extensions, directories, and filenames.
It also keeps decryption functions configurable and initiates multiple threads for various tasks, including encryption deployment, file scanning, and seeking specific database-related files.
Two new ransomware families spotted
Albabat, also known as White Bat, surfaced recently along with its three variants. It masquerades as a fake Windows 10 digital activation tool and cheat program for the Counter-Strike 2 game to infect users.
Kasseika is a ransomware family discovered last week. It employs BYOVD attacks to disable antivirus software before encrypting files. It shares similarities with BlackMatter ransomware.
Conclusion
The ransomware landscape continues to evolve with several new strains showing up. To ensure safety against these, organizations should consider strongly safeguarding endpoints, periodically backing up files, and keeping all software up-to-date. Furthermore, it is recommended to leverage IOCs associated with ransomware and bolster your defense accordingly.