The Phobos ransomware family is a notorious group of malicious software designed to encrypt files on a victim's computer. It emerged in 2019 and has since been involved in numerous cyber attacks. This ransomware typically appends encrypted files with a unique extension and demands a ransom payment in cryptocurrency for the decryption key. FortiGuard Labs has captured and reported on several ransomware variants from the Phobos family, including EKING and 8Base.

Recently, FortiGuard Labs uncovered an Office document containing a VBA script aimed at propagating the FAUST ransomware, another variant of Phobos. The attackers utilized the Gitea service to store several files encoded in Base64, each carrying a malicious binary. When these files are injected into a system's memory, they initiate a file encryption attack. Figure 1 shows the attack chain.

In this blog, we explore the different phases of file deployment and delve into the details of the delivered malware.

Document Analysis

The XLAM document we discovered contains an embedded VBA script, as illustrated in Figure 2. Upon opening the document, the script triggers PowerShell for the next stage using the “Workbook_Open()” function. It then downloads Base64-encoded data from Gitea, which can be decoded into a clean XLSX file. This file is then saved in the TEMP folder and automatically opened, misleading users into thinking the process is completed and poses no harm.

Figure 3: The PowerShell script

Figure 4: The decoded file and the targeted data section

Figure 5: A new folder and the saved execution file

EXE File Downloader

The executable file “AVG update.exe” functions as a downloader. It incorporates an abundance of extraneous code to evade detection and complicate analysis. Employing a process injection technique, it allocates Read-Write-Execute (RWE) memory to inject the malicious code into a newly generated process. Additionally, the file encodes all its strings and XORs them with specific hexadecimal keys before utilization. Figure 6 shows the assembly code for obtaining a DLL name from the encoded string “blogaudit” utilizing XOR hex keys.

“blogauditblo” ^ 0x29293d292439575B5A262023 = “KERNEL32.DLL”

Figure 6: Decoding the DLL name

It encompasses the following functions:

• Decodes its “.rdata” section to obtain an MSIL execution file and a randomly generated string as the class name, saving it as “SmartScreen Defender Windows.exe” in the TEMP folder.

Figure 7: MSIL execution file

• Retrieves a file from the URL “hxxps://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/AppVStreamingUX_FST[.]txt” using the command “cmd /C curl -s.”

Figure 8: Curl command to download data from Gitea

• Searches the pattern “DICK{(.*)}DICK” in Base64-decoded “AppVStreamingUX_FST.txt”. And extracts the data to deploy Base64 decoding to acquire the shellcode.
• Leverages essential APIs such as ZwAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory, and RtlCreateUserThread to inject the shellcode into “SmartScreen Defender Windows.exe.”

Figure 9: Decoding and injecting the shellcode

Figure 10: Payload injection

Figure 11: Call injected FAUST payload

FAUST Ransomware

FAUST Ransomware is a variant of the Phobos family, a type of malware that encrypts the files on the victim's computer. It demands a ransom in exchange for providing a decryption key. This ransomware appends the ".faust" extension to each encrypted file and generates info.txt and info.hta within the directories housing the encrypted files. These files serve as a means to establish contact with the attackers for ransom negotiations.

It checks the Mutex object to ensure only one process is running, and it adds persistence by adding a registry to “HKCU\Software\Microsoft\Windows\CurrentVersion\Run “ and copying itself to two folders: “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.”

These folders are associated with the Windows startup configuration. The former is user-specific, launching programs at user login, while the latter is system-wide, affecting all users during system startup. They are crucial for automatically running the FAUST Ransomware.

To avoid destroying the system, double-encrypting files, or encrypting its ransom information, it contains an exclusion list:

• File extensions: faust, actin, DIKE, Acton, actor, Acuff, FILE, Acuna, fullz, MMXXII, GrafGrafel, kmrox, s0m1n, qos, cg, ext, rdptest, S0va, 6y8dghklp, SHTORM, NURRI, GHOST, FF6OM6, blue, NX, BACKJOHN, OWN, FS23, 2QZ3, top, blackrock, CHCRBO, G-STARS, faust, unknown, STEEL, worry, WIN, duck, fopra, unique, acute, adage, make, Adair, MLF, magic, Adame, banhu, banjo, Banks, Banta, Barak, Caleb, Cales, Caley, calix, Calle, Calum, Calvo, deuce, Dever, devil, Devoe, Devon, Devos, dewar, eight, eject, eking, Elbie, elbow, elder, phobos, help, blend, bqux, com, mamba, KARLOS, DDoS, phoenix, PLUT, karma, bbc, capital, wallet, lks, tech, s1g2n3a4l, murk, makop, ebaka, jook, logan, fiasko, gucci, decrypt, ooh, non, grt, lizard, flscrypt, sdk, 2023, and vhdv.
• Directories: C:\Windows and C:\ProgramData\microsoft\windows\caches
• Filenames: info.hta, info.txt, boot.ini, bootfont.bin, ntldr, ntdetect.com, and io.sys.

Like the typical behavior of Phobos variants, FAUST ransomware keeps the decryption function for configuration. Take the exclusion list, for example. It uses the index 7 for file extensions, 8 for filenames, and 9 for directories.

Figure 12: The Get exclusion list

It also initiates multiple threads to perform various tasks. These tasks include deploying encryption, scanning logical drives, searching for network/sharing resources, scanning files individually, and explicitly seeking database-related files (such as fdb, sql, 4dd, 4dl, abs, abx, accdb, accdc, accde, adb, adf, ckp, db, db-journal, db-shm, db-wal, db2, db3, dbc, dbf, dbs, dbt, dbv, dcb, dp1, eco, edb, epim, fcd, gdb, mdb, mdf, ldf, myd, ndf, nwdb, nyf, sqlitedb, sqlite3, and sqlite).

The encrypted files carry the extension “.id[<<ID>>-3512].[[email protected]].faust.” It also launches the HTML version of the ransom note, “info.hta,” on the victim’s device. Figure 13 shows the message instructing victims to contact the attackers via email, using the specific ID as the message's title, or through a TOX message. By inspecting the TOX ID, we found that the original seller initiated the selling process in November 2023, as shown in Figure 14. Notably, the selling activity is ongoing, and users should remain vigilant against this ongoing threat.

Figure 13: The ransom note

Conclusion

This report delved into the FAUST variant of the Phobos ransomware, providing insights into the process of downloading the payload file from an MS Excel document embedded with VBA script. Our analysis uncovered a threat actor employing a fileless attack to deploy shellcode, injecting the final FAUST payload into the victim's system. The FAUST variant exhibits the ability to maintain persistence in an environment and creates multiple threads for efficient execution. To safeguard devices from potential malware threats, users must exercise caution and refrain from opening document files from untrusted sources.

Fortinet Protections

The malware described in this report are detected and blocked by FortiGuard Antivirus as:

VBA/Dropper.CB!tr
W64/Agent.ACFT!tr
W64/Agent.A9D5!tr
W64/Dloader.584B!tr
W32/FilecoderPhobos.C!tr.ransom

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.

The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the document.

We also suggest that organizations go through the free Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today's threat landscape and will introduce basic cybersecurity concepts and technology.

Fortinet also provides an extensive portfolio of services powered by our global FortiGuard team of seasoned cybersecurity experts.

The FortiGuard IP Reputation and Anti-Botnet Security Services proactively block attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

FortiRecon, a SaaS-based Digital Risk Prevention Service backed by cybersecurity experts, provides unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress, allowing customers to rapidly respond to and shut down active threats.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Files:

426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33
50e2cb600471fc38c4245d596f92f5444e7e17cd21dd794ba7d547e0f2d9a9d5
a0a59d83fa8631d0b9de2f477350faa89499e96fd5ec07069e30992aaabe913a
ebe77c060f8155e01703cfc898685f548b6da12379e6aefb996dbcaac201587c
c10dc2f6694414b68c10139195d7db2bb655f3afdcc1ac6885ef41ef1f0078df