Hidden in the Code: VBA Script Triggers FAUST Ransomware Attack

Cybersecurity researchers have identified a new variant of the Phobos ransomware family named Faust, as reported by FortiGuard Labs of Fortinet. Faust, part of the Phobos lineage including Eking, Eight, Elbie, Devos, and 8Base, was initially documented by Cisco Talos in November 2023. The malware has been active since 2022 without targeting specific industries or regions.

The attack is launched via a compromised Microsoft Excel document (“.XLAM”) containing a VBA script. Attackers use the Gitea service to store Base64-encoded files, each containing a malicious binary file. A disguised executable file, posing as an AVG AntiVirus update (“AVG updater.exe”), is then covertly extracted. This file downloads and executes another executable “SmartScreen Defender Windows.exe,” initiating the encryption process.

Faust maintains a persistent presence and creates multiple threads for efficient data encryption. Other new ransomware families identified include Albabat (or White Bat), Kasseika, Kuiper, Mimus, and NONAME. Kuiper, studied in detail by Trellix, is attributed to a threat actor known as “RobinHood,” who began promoting the malware on underground forums in September 2023.

The NONAME ransomware’s data leak site mimics LockBit’s site, suggesting a connection to LockBit or the use of their leaked databases.

Researchers also observed a resurgence in the use of TeamViewer by attackers for initial access. Despite the ever-changing ransomware ecosystem, there’s a growing trend of victims refusing to pay ransom. The percentage of victims agreeing to pay dropped to 29% in Q4 of 2023, compared to 41% and 34% in previous quarters, with the average ransom amount decreasing by 33% from $850,700 to $568,705.