Security researchers have recently discovered a new variant of the infamous Phobos ransomware family called Faust.
Phobos first appeared in 2019 by encrypting files on the victim's computer and demanding a ransom payment of the decryption key in cryptocurrency.
According to a report published by Fortiguard Labs last Thursday, the Faust variant was found in an Office document that utilized VBA scripts to spread ransomware.
As part of the attack campaign, the attackers used the GITEA service to store base64-encoded malicious files. When injected into system memory, these files launch a file encryption attack.
The analysis by Fortiguard Labs revealed a multi-stage attack flow, from VBA script execution to the deployment of the Faust payload.
John Bambenek, president of Bambenek Consulting, explains: "Macros are still a dangerous part of malware propagation, as VBA provides features that many companies use in their daily applications. ”
The safest way to deal with this threat is to completely disable VBA in Office. However, if that doesn't work, organizations can at least use the Windows Defense Attack Surface Reduction feature to disable high-risk features in VBA, such as preventing office applications from creating sub-processes or creating executables.
From a technical point of view, the Faust Ransomware demonstrates a persistence mechanism that adds registry keys and copies itself to a specific startup folder.
It checks mutexes to ensure that only one process is running, and it contains an exclusion list to avoid double encryption of specific files or encrypting their ransom messages. The encrypted file comes with. Fust extension, victims are instructed to contact the attackers via email or TOX message in order to negotiate a ransom.
The study highlights the threat of fileless attacks and the need for users to be cautious when opening document files from untrusted**.
Sarah Jones, research analyst for cyber threat intelligence at Critical Start, warns: "While user awareness and caution are key aspects of cybersecurity, a multi-layered approach to defense is necessary. Individuals should be cautious when using attachments and links. Only open attachments or click on links from trusted **, and be wary of unexpected emails. ”
Additionally, it's critical to regularly update the operating system, applications, and firmware to patch vulnerabilities that attackers may exploit. Additionally, individuals need to ensure that their passwords are strong and unique, and enable two-factor authentication whenever possible to add an extra layer of security.