-1.webp "Caution: Phobos Ransomware Delivered via Office Document")
A recent discovery by researchers has revealed that a VBA script hidden in an Office document is being used to spread the dreaded Phobos ransomware variant known as FAUST. This version of FAUST is notorious for being able to sustain persistence within a given environment and can generate multiple threads to ensure efficient execution of the ransomware.
Phobos ransomware, a well-known family of malicious malware, has been wreaking havoc since its introduction in 2019, participating in multiple cyberattacks. The ransomware is designed to encrypt files on a victim’s PC and then demands a cryptocurrency ransom for decryption.
In this particular case, the attackers utilized the Gitea service to store multiple files encoded in Base64, with each file containing a malicious binary. When these files are injected into the memory of a system, they initiate a file encryption attack.
Fortinet analysis revealed that the XLAM document found to contain the VBA script launches PowerShell when opened. The script then downloads data from Gitea in Base64 encoding, which can be decoded to create a clean XLSX file. This file is automatically opened and saved in the TEMP folder, tricking users into believing that the process is safe to use.
The attacker then creates a region of memory in the target process, adds malicious code, and makes a call to the entry point of the payload. The FAUST ransomware variant, a member of the Phobos family, appends the “.faust” extension to every encrypted file. Info.txt and info.hta files are also created within the directories containing the encrypted files, and these files are used as a means to negotiate the ransom with the attackers.
According to Fortinet, the FAUST ransomware initiates multiple threads to perform various tasks, including deploying encryption, scanning logical drives, searching for network/sharing resources, scanning files individually, and explicitly seeking database-related files, in line with typical Phobos behavior.
The threat actor also employed a fileless attack to deploy shellcode onto the victim’s machine, allowing the final FAUST payload to be delivered. FortiGuard Labs has discovered and documented other ransomware variants from the Phobos family, including EKING and 8Base.
In light of these developments, users are being urged to exercise caution and avoid opening document files from unknown sources to protect their devices from potential malware threats. This incident underscores the importance of cybersecurity measures and the need for heightened vigilance in the face of evolving cyber threats.