Key Takeaways
What is Faust?
Fortinet researchers discovered Faust lurking in an Office document with a VBA script used to propagate the ransomware. When the document is opened, the script triggers a PowerShell script for the next stage.
According to Fortinet, the threat actors used Gitea to store several Base64 encoded files that carried a malicious binary. The file can be decoded into a clean XLSX file, which is saved to the TEMP folder and automatically opened to serve as a decoy. An executable named “AVG update.exe” is saved onto the victim machine. The “AVG update.exe” file is actually a downloader with detection evasion and anti-analysis capabilities. The downloader then initiates the infection chain that culminates in file encryption.
Faust appends the .faust extension to encrypted files and generates both text and html ransom notes. It also creates persistence by adding a registry key to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and placing a copy of itself into two Startup folders.
IOCs
PolySwarm has multiple samples of Faust.
426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33
50e2cb600471fc38c4245d596f92f5444e7e17cd21dd794ba7d547e0f2d9a9d5
A0a59d83fa8631d0b9de2f477350faa89499e96fd5ec07069e30992aaabe913a
ebe77c060f8155e01703cfc898685f548b6da12379e6aefb996dbcaac201587c
You can use the following CLI command to search for all Faust samples in our portal:
$ polyswarm link list -f Faust
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.