Insights, news, education and announcements from PolySwarm

Faust Ransomware

Written by The Hivemind | Feb 12, 2024 6:07:27 PM

Related Families: Phobos

Executive Summary

Faust is a newly discovered variant of Phobos ransomware delivered via an office document containing a malicious VBA script. 

Key Takeaways

  • Faust is a newly discovered variant of Phobos ransomware.
  • It is delivered via an office document containing a malicious VBA script.
  • Faust’s downloader employs detection evasion and anti-analysis capabilities.
  • Faust appends the .faust extension to encrypted files and generates both a text and html ransom note.

What is Faust?

Faust is a newly discovered variant of Phobos ransomware. Fortinet reported on Faust. Faust’s predecessor, Phobos ransomware, was first observed in 2019 and is related to the Dharma malware family.

Fortinet researchers discovered Faust lurking in an Office document with a VBA script used to propagate the ransomware. When the document is opened, the script triggers a PowerShell script for the next stage.

According to Fortinet, the threat actors used Gitea to store several Base64 encoded files that carried a malicious binary. The file can be decoded into a clean XLSX file, which is saved to the TEMP folder and automatically opened to serve as a decoy. An executable named “AVG update.exe” is saved onto the victim machine. The “AVG update.exe” file is actually a downloader with detection evasion and anti-analysis capabilities. The downloader then initiates the infection chain that culminates in file encryption.

Faust appends the .faust extension to encrypted files and generates both text and html ransom notes. It also creates persistence by adding a registry key to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and placing a copy of itself into two Startup folders. 

IOCs

PolySwarm has multiple samples of Faust.

 

426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33

50e2cb600471fc38c4245d596f92f5444e7e17cd21dd794ba7d547e0f2d9a9d5

A0a59d83fa8631d0b9de2f477350faa89499e96fd5ec07069e30992aaabe913a

ebe77c060f8155e01703cfc898685f548b6da12379e6aefb996dbcaac201587c

 

You can use the following CLI command to search for all Faust samples in our portal:

$ polyswarm link list -f Faust

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 hivemind@polyswarm.io | Check out our blog | Subscribe 
to our reports.