Phobos Ransomware Expands with New FAUST Variant

Infection chain

• According to Fortinet Labs, the attack chain commences with an XLAM document that contains an embedded VBA script.
• Accessing the doc triggers a PowerShell command to download Base-64 encoded data from the Gitea service, to be saved in an XLSX file. 
• This file stealthily retrieves an executable that masquerades as an updater for the AVG antivirus software.
• The executable acts as a downloader and launches another executable, named SmartScreen Defender Windows.exe, which kickstarts the encryption process by employing a fileless attack to deploy the malicious code.

Capabilities of FAUST ransomware

• The ransomware appends the .faust extension to each encrypted file and generates info.txt and info.hta within the directories, which serve as a means to establish contact with the attackers for ransom negotiations. 
• To prevent damaging the systems and ensure that ransom information isn’t encrypted, FAUST ransomware excludes certain file extensions, directories, and filenames. 
• It also keeps decryption functions configurable and initiates multiple threads for various tasks, including encryption deployment, file scanning, and seeking specific database-related files.

Two new ransomware families spotted

• Albabat, also known as White Bat, surfaced recently along with its three variants. It masquerades as a fake Windows 10 digital activation tool and cheat program for the Counter-Strike 2 game to infect users. 
• Kasseika is a ransomware family discovered last week. It employs BYOVD attacks to disable antivirus software before encrypting files. It shares similarities with BlackMatter ransomware.

Conclusion