Ransomware, Threat Intelligence

New strain of the Phobos ransomware discovered in VBA script

Digital global world map and technology research develpoment analysis to ransomware attack

A new variant of the Phobos ransomware called "FAUST" was discovered, one that’s a concern because it can maintain persistence in a network environment and creates multiple threads for efficient execution.

In a Jan. 25 blog post, FortiGuard Labs researchers said they found this by uncovering an Office document that contained a Visual Basic (VBA) script aimed at propagating the FAUST ransomware.

The researchers said the attackers used the Gitea service to store several files encoded in Base64, each carrying a malicious binary. FortiGuard Labs said when these files are injected into a system’s memory, they initiate a file encryption attack.

FortiGuard Labs researchers said the Phobos ransomware family emerged in 2019 and has since been involved in numerous cyberattacks. Phobos ransomware typically appends encrypted files with a unique extension and demands a ransom payment in cryptocurrency for the decryption key. The researchers said they have captured and reported on several ransomware variants from the Phobos family, including EKING and 8Base.

The Fortinet research on the FAUST variant of Phobos ransomware reveals it as a sophisticated threat, particularly because of its fileless attack method and ability to persistently embed itself within a network, said Anurga Gurtu, chief product officer at StrikeReady.

“While advising users not to click on suspicious links is a basic defense, it’s clear that more robust measures are needed,” said Gurtu. “Businesses should consider advanced cybersecurity strategies, including regular software updates, employee cybersecurity training, and employing comprehensive security systems to detect and mitigate such threats.”

John Bambenek, president at Bambenek Consulting, added that macros remain a dangerous part of malware delivery because VBAs offer functionality that many companies use for day-to-day applications.

“The safest way to deal with this threat is to disable VBA in Office entirely,” explained Bambenek. “However, if that’s not an option, organizations can at least disable ‘high-risk’ functionality in VBAs using Windows Defense Attack Surface Reduction, such as, preventing Office applications from creating child processes or from creating executable content.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.