Faust

Malware updated 5 months ago (2024-05-04T20:47:24.576Z)

Download STIX

Preview STIX

Faust is a newly discovered variant of the Phobos ransomware, an evolution of the Dharma/Crysis ransomware. It shares similar Tactics, Techniques, and Procedures (TTPs) with other variants such as Elking, Eight, Devos, and Backmydata, indicating a likely connection between them. Researchers from Fortinet’s FortiGuard Labs identified Faust through an Office document containing a Visual Basic for Applications (VBA) script designed to propagate the ransomware. The malware's activities include downloading its payload from a Microsoft Excel document embedded with a VBA script and establishing persistence in compromised IT environments. In early March 2024, organizations across the U.S., including those in healthcare, education, government, and critical infrastructure, were alerted to intrusions involving various Phobos ransomware variants, including Faust. This warning came from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Vulnerable remote desktop protocol ports targeted via phishing campaigns have been leveraged by threat actors to gain initial network access and deploy remote access tools. The list of email providers used by Phobos affiliates, including Faust, has also been compiled. These providers include mainstream services like Gmail and Protonmail, as well as more niche or secure services like Tutanota and Mailfence. Additionally, the FBI and CISA noted that the Phobos ransomware operates in conjunction with various open-source tools such as Smokeloader, Cobalt Strike, and Bloodhound, further complicating mitigation efforts.

Description last updated: 2024-05-04T18:02:47.473Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Phobos is a possible alias for Faust. Phobos is a type of malware, specifically ransomware, that has been causing significant cybersecurity concerns. Ransomware is a malicious software that infects systems, often without the user's knowledge, via suspicious downloads, emails, or websites. Once inside, it can disrupt operations and hold	6
Devos is a possible alias for Faust. Devos is a variant of Phobos ransomware, a type of malware that infects systems and holds data hostage for ransom. It is closely linked to other variants such as Elking, Eight, Backmydata, and Faust ransomware due to similar Tactics, Techniques, and Procedures (TTPs) observed in their intrusions. Op	4
Elking is a possible alias for Faust. Elking is a type of malware, specifically a variant of the Phobos ransomware. Malware is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operatio	3
Eking is a possible alias for Faust. Eking is a malware, specifically a variant of the Phobos ransomware family. Malware, or malicious software, is designed to infiltrate and damage computers without the users' consent. Eking can infect systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once insid	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Payload

Fortiguard

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Faust Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks
CERT-EU	a year ago	Understanding the Phobos affiliate structure and activity
CERT-EU	7 months ago	CISA & FBI Releases TTPs & IOCs Used by Phobos Ransomware Group \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	7 months ago	CISA Warns Phobos Ransomware Groups Attacking Critical Infrastructure \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	7 months ago	Ongoing Phobos ransomware threat prompts federal warning
Securityaffairs	8 months ago	US cyber and law enforcement agencies warn of Phobos ransomware attacks
CERT-EU	8 months ago	Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware
CERT-EU	8 months ago	SafeBreach Coverage for AA24-060A (Phobos Ransomware) and AA24-060B (Ivanti Connect Secure)
BankInfoSecurity	8 months ago	Breach Roundup: White House Calls for Memory-Safe Languages
CISA	8 months ago	#StopRansomware: Phobos Ransomware \| CISA
InfoSecurity-magazine	9 months ago	Phobos Ransomware Family Expands With New FAUST Variant
Fortinet	9 months ago	Another Phobos Ransomware Variant Launches Attack – FAUST \| FortiGuard Labs