Faust

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Faust is a newly discovered variant of the Phobos ransomware, an evolution of the Dharma/Crysis ransomware. It shares similar Tactics, Techniques, and Procedures (TTPs) with other variants such as Elking, Eight, Devos, and Backmydata, indicating a likely connection between them. Researchers from Fortinet’s FortiGuard Labs identified Faust through an Office document containing a Visual Basic for Applications (VBA) script designed to propagate the ransomware. The malware's activities include downloading its payload from a Microsoft Excel document embedded with a VBA script and establishing persistence in compromised IT environments. In early March 2024, organizations across the U.S., including those in healthcare, education, government, and critical infrastructure, were alerted to intrusions involving various Phobos ransomware variants, including Faust. This warning came from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Vulnerable remote desktop protocol ports targeted via phishing campaigns have been leveraged by threat actors to gain initial network access and deploy remote access tools. The list of email providers used by Phobos affiliates, including Faust, has also been compiled. These providers include mainstream services like Gmail and Protonmail, as well as more niche or secure services like Tutanota and Mailfence. Additionally, the FBI and CISA noted that the Phobos ransomware operates in conjunction with various open-source tools such as Smokeloader, Cobalt Strike, and Bloodhound, further complicating mitigation efforts.
What's your take? (Question 1 of 5)
05839746-d3ec-4ccc-9a0c-babb3af6f618 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Phobos
6
Phobos is a type of malware, specifically a ransomware that has been causing significant disruptions in the cyber world. The malicious software operates by infiltrating systems through suspicious downloads, emails, or websites without user awareness. Once inside, it can steal personal information, d
Devos
4
Devos is a variant of Phobos ransomware, a type of malware that infects systems and holds data hostage for ransom. It is closely linked to other variants such as Elking, Eight, Backmydata, and Faust ransomware due to similar Tactics, Techniques, and Procedures (TTPs) observed in their intrusions. Op
Elking
3
Elking is a type of malware, specifically a variant of the Phobos ransomware. Malware is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operatio
Eking
2
Eking is a malware, specifically a variant of the Phobos ransomware family. Malware, or malicious software, is designed to infiltrate and damage computers without the users' consent. Eking can infect systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once insid
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Payload
Fortiguard
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Faust Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Fortinet
4 months ago
Another Phobos Ransomware Variant Launches Attack – FAUST | FortiGuard Labs
CISA
3 months ago
#StopRansomware: Phobos Ransomware | CISA
InfoSecurity-magazine
4 months ago
Phobos Ransomware Family Expands With New FAUST Variant
CERT-EU
3 months ago
CISA Warns Phobos Ransomware Groups Attacking Critical Infrastructure | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
Understanding the Phobos affiliate structure and activity
BankInfoSecurity
3 months ago
Breach Roundup: White House Calls for Memory-Safe Languages
CERT-EU
3 months ago
Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware
CERT-EU
3 months ago
CISA & FBI Releases TTPs & IOCs Used by Phobos Ransomware Group | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
3 months ago
Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
3 months ago
Ongoing Phobos ransomware threat prompts federal warning
CERT-EU
3 months ago
SafeBreach Coverage for AA24-060A (Phobos Ransomware) and AA24-060B (Ivanti Connect Secure)
Securityaffairs
3 months ago
US cyber and law enforcement agencies warn of Phobos ransomware attacks