Faust

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Faust is a newly discovered variant of the Phobos ransomware, an evolution of the Dharma/Crysis ransomware. It shares similar Tactics, Techniques, and Procedures (TTPs) with other variants such as Elking, Eight, Devos, and Backmydata, indicating a likely connection between them. Researchers from Fortinet’s FortiGuard Labs identified Faust through an Office document containing a Visual Basic for Applications (VBA) script designed to propagate the ransomware. The malware's activities include downloading its payload from a Microsoft Excel document embedded with a VBA script and establishing persistence in compromised IT environments. In early March 2024, organizations across the U.S., including those in healthcare, education, government, and critical infrastructure, were alerted to intrusions involving various Phobos ransomware variants, including Faust. This warning came from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Vulnerable remote desktop protocol ports targeted via phishing campaigns have been leveraged by threat actors to gain initial network access and deploy remote access tools. The list of email providers used by Phobos affiliates, including Faust, has also been compiled. These providers include mainstream services like Gmail and Protonmail, as well as more niche or secure services like Tutanota and Mailfence. Additionally, the FBI and CISA noted that the Phobos ransomware operates in conjunction with various open-source tools such as Smokeloader, Cobalt Strike, and Bloodhound, further complicating mitigation efforts.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Phobos	6	Phobos is a type of malware, specifically a ransomware, that has been a significant cause for concern in the cyber security world. This malicious software infiltrates systems through dubious downloads, emails, or websites and can cause severe damage by stealing personal information, disrupting opera
Devos	4	Devos is a variant of Phobos ransomware, a type of malware that infects systems and holds data hostage for ransom. It is closely linked to other variants such as Elking, Eight, Backmydata, and Faust ransomware due to similar Tactics, Techniques, and Procedures (TTPs) observed in their intrusions. Op
Elking	3	Elking is a type of malware, specifically a variant of the Phobos ransomware. Malware is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operatio
Eking	2	Eking is a malware, specifically a variant of the Phobos ransomware family. Malware, or malicious software, is designed to infiltrate and damage computers without the users' consent. Eking can infect systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once insid
Backmydata	1	Backmydata is a variant of the Phobos ransomware family, a malicious software (malware) designed to exploit and damage computer systems. It has been used in sophisticated cyber-attacks on healthcare entities, notably hospitals. The landscape of such attacks is evolving, with groups like RansomHouse,
Elbie	1	Elbie is a variant of the Phobos malware, a malicious software designed to infiltrate and damage computer systems. It typically infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Based on our anal

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Fortiguard

Payload

Ddos

CISA

Malware

Ransom

Phishing

Locker

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Smokeloader	Unspecified	1	SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
Ghost	Unspecified	1	Ghost is a type of malware, or malicious software, that infiltrates systems to exploit and cause damage. It is often disseminated through suspicious downloads, emails, or websites, and can steal personal information, disrupt operations, or hold data hostage for ransom. In 2020, there were plans for

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Elbie Eking Faust	Unspecified	1	None

Source Document References

Information about the Faust Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	8 months ago	Understanding the Phobos affiliate structure and activity
CERT-EU	5 months ago	CISA & FBI Releases TTPs & IOCs Used by Phobos Ransomware Group \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	5 months ago	CISA Warns Phobos Ransomware Groups Attacking Critical Infrastructure \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	5 months ago	Ongoing Phobos ransomware threat prompts federal warning
Securityaffairs	5 months ago	US cyber and law enforcement agencies warn of Phobos ransomware attacks
CERT-EU	5 months ago	Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	5 months ago	Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware
CERT-EU	5 months ago	SafeBreach Coverage for AA24-060A (Phobos Ransomware) and AA24-060B (Ivanti Connect Secure)
BankInfoSecurity	5 months ago	Breach Roundup: White House Calls for Memory-Safe Languages
CISA	5 months ago	#StopRansomware: Phobos Ransomware \| CISA
InfoSecurity-magazine	6 months ago	Phobos Ransomware Family Expands With New FAUST Variant
Fortinet	6 months ago	Another Phobos Ransomware Variant Launches Attack – FAUST \| FortiGuard Labs