Faust

Malware updated 5 days ago (2024-11-29T14:48:04.156Z)

Download STIX

Preview STIX

Faust is a variant of the Phobos ransomware family, which has been linked to several other variants such as Elking, Eight, Devos, and Backmydata due to similarities in their tactics, techniques, and procedures (TTPs). The malware, Faust, represents a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Researchers from Fortinet’s FortiGuard Labs have noted that Faust can establish persistence in a compromised IT environment and creates multiple threads to run more efficiently. In March 2024, US CISA, the FBI, and MS-ISAC issued a joint cybersecurity advisory to warn of attacks involving Phobos ransomware variants including Faust. These agencies highlighted the threat against healthcare, education, government, and critical infrastructure entities. The report noted that vulnerable remote desktop protocol ports targeted via phishing campaigns have been leveraged by threat actors to facilitate initial network access and the deployment of remote access tools. The emergence of Faust was discovered when researchers found an Office document containing a VMA script aimed at propagating the FAUST ransomware. The activities of this variant include downloading the payload file from a Microsoft Excel document embedded with VBA script. In addition, the FBI and CISA have stated that “Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound.”

Description last updated: 2024-11-21T10:25:46.404Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Phobos is a possible alias for Faust. Phobos is a form of malware, specifically ransomware, that has been active since May 2019. The operation utilizes a ransomware-as-a-service (RaaS) model and is responsible for numerous cyber attacks worldwide. Threat actors behind Phobos gained initial access to vulnerable networks through phishing	6
Devos is a possible alias for Faust. Devos is a variant of the Phobos ransomware, a type of malicious software designed to exploit and damage computer systems. According to open-source reports, Devos is likely connected to numerous other variants such as Elking, Eight, Backmydata, and Faust due to similar Tactics, Techniques, and Proce	4
Elking is a possible alias for Faust. Elking is a type of malware, specifically a variant of the Phobos ransomware. Phobos itself is an evolution of the Dharma/Crysis ransomware and is connected to several other variants, including Elking, Eight, Devos, Backmydata, and Faust ransomware. This connection is established based on the simila	3
Eking is a possible alias for Faust. Eking is a malware, specifically a variant of the Phobos ransomware family. Malware, or malicious software, is designed to infiltrate and damage computers without the users' consent. Eking can infect systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once insid	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Payload

Fortiguard

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Faust Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	13 days ago	Phobos Ransomware admin faces cybercrime charges
CERT-EU	9 months ago	Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks
CERT-EU	a year ago	Understanding the Phobos affiliate structure and activity
CERT-EU	9 months ago	CISA & FBI Releases TTPs & IOCs Used by Phobos Ransomware Group \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	CISA Warns Phobos Ransomware Groups Attacking Critical Infrastructure \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	Ongoing Phobos ransomware threat prompts federal warning
Securityaffairs	9 months ago	US cyber and law enforcement agencies warn of Phobos ransomware attacks
CERT-EU	9 months ago	Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware
CERT-EU	9 months ago	SafeBreach Coverage for AA24-060A (Phobos Ransomware) and AA24-060B (Ivanti Connect Secure)
BankInfoSecurity	9 months ago	Breach Roundup: White House Calls for Memory-Safe Languages
CISA	9 months ago	#StopRansomware: Phobos Ransomware \| CISA
InfoSecurity-magazine	10 months ago	Phobos Ransomware Family Expands With New FAUST Variant
Fortinet	10 months ago	Another Phobos Ransomware Variant Launches Attack – FAUST \| FortiGuard Labs