Introduction
Faust ransomware is a recent variant of the Phobos ransomware family. Phobos ransomware group operate through a ransomware as a service (RaaS) model and started their operations as early as 2018. The group is known to instigate and spread within compromised networks via compromised or vulnerable RDP connections[1]. Recently, FortiGuard Labs discovered an office document (.XLAM file) containing VBA script aimed at propagating the Faust Ransomware[2], an anomalous distribution method for the Phobos group and for ransomware in general. XLAM is extension for excel file with excel macro enabled, [3] and in the case of the observed campaign, a VBA macro was used for initial execution. This campaign utilized a DevOps platform [4] Gitea to store several files encoded in base64 which contained various staged payloads. These malicious payloads are decoded and executed in-memory as part of the VBA macro’s execution.
The ransomware note dropped by this variant contains a TOX ID that can be traced back to a post by threat actor who was selling Phobos ransomware in [5]underground forum in November 2023. The use of Faust ransomware was also observed in a recent incident response (IR) engagement performed by the FortiGuard IR team. In this engagement, the threat actor gained initial access through a compromised VPN account, performed extensive lateral movement through RDP before performing direct manual execution of Faust Ransomware exe on key endpoints within the victim’s environment. Whilst the techniques from that intrusion are different from those covered in this article, the behavior of the ransomware itself was identical. This article has chosen to focus on the campaign reported by FortiGuard due to the unique nature of the campaign.
The purpose of this article is to demonstrate how FortiEDR detects and prevents execution of this malware and its associated preparation and encryption behavior to mitigate associated risk. This article will also demonstrate what FortiEDR Threat Hunting telemetry is generated by this ransomware if observed in a FortiEDR protected environment and how this telemetry can be leveraged using threat hunting queries. Associated IOCs and MITRE ATT&CK mapping are also included at the end of the article.
Attack Diagram
Figure 1. Attack diagram of Faust ransomware
Analysis
The analyzed campaign starts with the threat actor sending a phishing email with a XLAM document. When the XLAM document was opened, the VBA macro embedded within the document is triggered by the ‘Workbook_Open’ Microsoft Excel event. This VBA macro contains a base64 encoded PowerShell payload which was executed using following command:
cmd /c powershell -EncodedCommand <payload_string>
The PowerShell code tried to connect to the website ‘gitea.com’ which resolved to the IP address 18.166.250.135 at the time of this execution. This behavior triggers the rule ‘Suspicious Application - Connection Attempt from a Suspicious Application’ under the ‘Exfiltration Prevention’ security policy in the FortiEDR. This can be observed in Figure 2 below.
Figure 2. FortiEDR security event showing the network connection to gitea.com by PowerShell. In execution mode this would be blocked as suspicious.
The PowerShell script tries to download and extract data from file hxxps://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/cfmifs_CRPT[.]txt and create dropper executable named ‘AVG update.exe’ in path ‘C:\Users\<UserName>\AppData\Local\ConnectedDevicesPlatform<2RandomChars>\’. After executing the obfuscated PowerShell script, the VBA code downloads a base64 encoded txt file from the following URL:
hxxps://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/Main%20table.1.xlsx[.]txt
The VBA macro de-obfuscates the text file to get an XLSX file, this is a non-malicious Microsoft Excel file. The VBA code then tries to open this XLSX file as a decoy file, this is done possibly to minimize user suspicion about malicious behavior of the VBA macros embedded in the main XLAM file. The content of this decoy file can be seen in Figure 3 below.
Figure 3. Decoy XLSX file downloaded by the malicious XLAM VBA code.
At the time of detonating this sample in FortiEDR the payloads from ‘gitea.com’ were taken down. Fortunately, using previously collected artifacts, we were able to determine that the outcome of the attempted connection is the download and execution of an executable ‘AVG update.exe’. So, we moved ahead with analysis with the manual execution of the ‘AVG update.exe’ executable.
When the dropper ‘AVG update.exe’ is executed, it first tries to kill a process named ‘SmartScreen Defender Windows.exe’ using windows utility taskkill.exe. This 'AVG update.exe’ executable is detected by FortiEDR as malicious based on FortiGuard AV signatures, so the subsequent attempt by malicious process to execute taskkill.exe is blocked by FortiEDR, this can be observed in Figure 4 below.
Figure 4. FortiEDR blocks taskkill process spawned by the ‘AVG update.exe’ dropper executable.
Following the execution of taskill, ‘AVG update.exe’ extracts a file from its own .rdata section and stores it in two files named in the format ‘<7_Random_AlphaCharacters>.tmp’ in the path ‘C:\Users\<UserName>\AppData\Local\Temp\’. The ‘AVG update.exe’ process then uses Microsoft.net (C#) C Sharp compiler (csc.exe) to compile these two temporary files to create an executable with the name ‘SmartScreen Defender Windows.exe’ in the same path. This can be observed in FortiEDR threat hunting telemetry as shown in Figure 5 below.
Figure 5. FortiEDR Threat Hunting data showing 'AVG update.exe’ process compiling the ‘SmartScreen Defender Windows.exe’ executable.
After compilation is completed the process ‘AVG update.exe’ deletes the temporary files used to compile the ‘SmartScreen Defender Windows.exe’ executable. Then the process runs cmd.exe with following command to get the process id of explorer process.
cmd.exe /C powershell -Command "Get-Process -Name 'explorer' | Select-Object -ExpandProperty Id"
After this the ‘AVG update.exe’ process executes a curl command to download the final stage obfuscated payload from the following URL:
hxxps://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/AppVStreamingUX_FST[.]txt
The process creation threat hunting telemetry associated with this activity can be observed in Figure 6 below.
Figure 6. FortiEDR Threat Hunting data showing the curl command to download final payload.
FortiEDR ‘Exfiltration Prevention’ security policy detects the ‘AVG Update.exe’ with the rule ‘Malicious File Detected’. Due to this FortiEDR blocks the network connection attempt associated with this curl request, preventing the payload download. This can be observed in Figure7.
Figure 7. FortiEDR event showing download of final payload using curl command was blocked
After this above behavior the ‘AVG update.exe’ process executes ‘SmartScreen Defender Windows.exe’. The ‘SmartScreen Defender Windows.exe’ executable is a dummy file that is just designed to run indefinitely and will later be injected with the final Faust ransomware payload. The ‘AVG update.exe’ process decodes the base64 encoded payload retrieved via the curl command, extracts the final shellcode payload embedded within the decoded data using fixed pattern ‘**bleep**{(.*)}**bleep**’ and finally again base64 decodes data found using this pattern. The resultant shellcode is injected into the into the process ‘SmartScreen Defender Windows.exe’. Note. Since the payload files on the gitea[.]com was taken down prior to this analysis, this step of process injection was not recreated directly in the FortiEDR test environment. Instead, we retrieved a dump file of the injected process from previous research by FortiGuard team, then detonated this artifact in the FortiEDR test environment.
FortiEDR employs machine learning and online sandboxing which allows it to detect new variants of malware, including ransomware. FortiEDR also has integration with FortiGuard threat intelligence and AV engines. The combination of these capabilities allows FortiEDR to detect execution of malware, such as Faust ransomware, before it can execute as part of the FortiEDR pre-execution policies. In the case of Faust ransomware, the malicious executable was detected by FortiEDR as a Phobos sample matching on FortiGuard’s ‘FilecoderPhobos.C!tr.ransom’ signature. This can be observed in Figure 8 below.
Figure 8. FortiEDR security event related to pre-execution detection of Faust ransomware.
When the Faust ransomware payload is executed, it creates a copy of itself in the folder ‘C:\Users\<USER> \AppData\Local\’. Afterwards it creates persistence by creating the following registry key value (T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)
Registry Path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Name: c10dc2f6694414b68c10139195d7db2bb655f3afdcc1ac6885ef41ef1f0078df
Registry Data: C:\Users\<USER> \AppData\Local\c10dc2f6694414b68c10139195d7db2bb655f3afdcc1ac6885ef41ef1f0078df.exe
The malware uses the executable file name without extension as the name of this registry key. This registry key creation generates FortiEDR event ‘Modify OS Settings’ which can be observed in Figure 9.
Figure 9. FortiEDR Modify OS Settings event for creation of registry key for persistence
Pre encryption activities:
After creating persistence, the malware executes multiple commands using cmd.exe to stop future system recovery (T1490 - Inhibit System Recovery). The first command run by malware was:
vssadmin.exe delete shadows /all /quiet
It was observed that unlike multiple other ransomwares which do backup deletion activities before starting encryption of files the Faust ransomware does file encryption and backup deletion activities simultaneously. So, the malware file has triggered the rule ‘File Encryptor - Suspicious file modification’ under the ‘Ransomware Prevention’ security policy in the FortiEDR. Since this file was injected with payload the ‘Invalid Checksum’ rule was also triggered. This can be observed in the following Figure 10.
Figure 10. FortiEDR Event capturing deletion of shadow copy using vssadmin.exe
Afterwards this malware runs the following command through a new cmd.exe child process:
WMIC.exe shadowcopy delete
WMIC is Windows Management Instrumentation command line utility. The malware attempts to delete shadow copy using WMIC.exe utility (T1047 - Windows Management Instrumentation). This command execution also triggered rule ‘File Encryptor - Suspicious file modification’ under the rule group ‘Ransomware Prevention’. This event with command line can be observed in the following Figure 11.
Figure 11. FortiEDR forensics section showing event for WMIC.exe shadow copy delete command
The malware executed more commands in attempt to stop future system recovery (T1490 - Inhibit System Recovery),
these commands were as showed below:
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
wbadmin.exe delete catalog -quiet
These commands can be observed through FortiEDR threat hunting telemetry as shown in Figure 12 below.
Figure 12. FortiEDR Threat Hunting section showing multiple commands executed by malware
Encryption activities:
The malware then initiates multiple threads to perform the encryption process. Each of these threads iterate through files to be encrypted, reading each file, encrypting each file and then deleting the original file. FortiGuard reports that Faust ransomware also includes three exclusion lists to avoid system destruction, double encryption of files and encryption of ransom informationas given below[6]:
File extensions:
faust, actin, DIKE, Acton, actor, Acuff, FILE, Acuna, fullz, MMXXII, GrafGrafel, kmrox, s0m1n, qos, cg, ext, rdptest, S0va, 6y8dghklp, SHTORM, NURRI, GHOST, FF6OM6, blue, NX, BACKJOHN, OWN, FS23, 2QZ3, top, blackrock, CHCRBO, G-STARS, faust, unknown, STEEL, worry, WIN, duck, fopra, unique, acute, adage, make, Adair, MLF, magic, Adame, banhu, banjo, Banks, Banta, Barak, Caleb, Cales, Caley, calix, Calle, Calum, Calvo, deuce, Dever, devil, Devoe, Devon, Devos, dewar, eight, eject, eking, Elbie, elbow, elder, phobos, help, blend, bqux, com, mamba, KARLOS, DDoS, phoenix, PLUT, karma, bbc, capital, wallet, lks, tech, s1g2n3a4l, murk, makop, ebaka, jook, logan, fiasko, gucci, decrypt, ooh, non, grt, lizard, flscrypt, sdk, 2023, and vhdv.
Directories: C:\Windows and C:\ProgramData\microsoft\windows\caches
Filenames: info.hta, info.txt, boot.ini, bootfont.bin, ntldr, ntdetect.com, and io.sys.
The encrypted files have extension ‘.id[<<ID>>-3512].[babylon4367@proton.me].faust’ When the ransomware creates an encrypted file, it triggers the ‘File Encryptor - Suspicious file modification’ rule under the 'Ransomware Prevention’ security policy. This can be observed in the following Figure 13.
Figure 13. FortiEDR event triggered by file encryption done by Faust ransomware
After creating the encrypted file, the malware deletes the original file. This file deletion triggers rule ‘File Encryptor - Suspicious file modification’ of FortiEDR under the rule group ‘Ransomware Prevention’ and would be blocked by FortiEDR in protect mode. The related security events associated with this activity can be observed in Figure 14 below.
Figure 14. FortiEDR event which captures Faust ransomware attempting to delete original files following the creation of encrypted copies.
Ransom note:
After file encryption is completed, the malware creates two types of ransom notes. The first is ‘info.txt’ which is text file containing the ransom note and the second is ‘info.hta’ which is a HTML application file. After creation of .HTA file the malware executes the following commands to display the ‘info.hta’ ransom note:
mshta.exe C:\Users\<username>\Desktop\info.hta {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
mshta.exe C:\users\public\desktop\info.hta {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
mshta.exe C:\info.hta {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
The ransom note contains instructions to send an email to ‘babylon4367@proton.me’ with the ID in the title of the email message to begin payment negotiations. The ransom note also contains a TOX ID that can be used to communicate via TOX messenger. TOX messenger is a peer-to-peer encrypted messenger[7]. These ransom notes can be seen in the following Figure 15.
Figure 15. Ransom notes opened by the Faust ransomware.
Conclusion
As demonstrated by the analysis contained in this article, FortiEDR detects the execution of the Faust Ransomware and its subsequent file encryption behavior as well as pre-encryption behavior executed to inhibit system recovery. This article has also demonstrated how FortiEDR is able to detect and block anomalous macro behavior and the interesting use of the legitimate Gitea service as a method of C2 in the analyzed Faust campaign.
In addition to the protection capabilities highlighted through FortiEDR’s security policies, FortiEDR Threat Hunting telemetry provides additional opportunities to detect suspected encryption activity, along with opportunities to detect pre-encryption activities. FortiEDR Threat Hunting queries, IOC, MITRE ATT&CK mappings are included with this article for proactive threat hunting activities.
Note that during the analysis outlined in this article FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against all stages of malware execution. In ‘Prevention Mode’ all detected activity will be blocked by associated policies.
Threat Hunting
The following Threat Hunting query will return Value Created events where a registry key of type “SZ” is created in the registry path ‘HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’. False positives may occur during the installation of legitimate applications. This is not Faust specific behavior and may detect other malware/activity that look to leverage this technique.
Type: ("Value Created") AND Source.Process.File.Ext: ("exe") AND Registry.ValueType: ("SZ") AND Registry.Path: ("HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run")
The following Threat Hunting query will return Process Creation events where ‘vssadmin.exe’ is executed for deletion of shadow copies. This command is not unique for the Faust ransomware, other malware families may also use this command.
Type:("Process Creation") AND Target.Process.Name:"vssadmin.exe" AND (Target.Process.CommandLine: "delete shadows \/all \/quiet")
The following Threat Hunting query will return Process Creation events where ‘WMIC.exe’ is executed with command line arguments indicative of deletion of shadow copies. This command is not unique for the Faust ransomware, other malware families may also use this command.
Type: ("Process Creation") AND Source.Process.Name:"cmd.exe" AND Target.Process.File.Name: ("WMIC.exe") AND Target.Process.CommandLine: ("shadowcopy delete")
The following Threat Hunting query will return Process Creation events where ‘bcdedit.exe’ is executed with parameter ‘/set {default} recoveryenabled no’. This command is not unique for the Faust ransomware, other malware families may also use this command.
Type: ("Process Creation") AND Source.Process.Name:"cmd.exe" AND Target.Process.File.Name: ("bcdedit.exe") AND Target.Process.CommandLine: ("\/set \{default\} recoveryenabled no")
The following Threat Hunting query will return Process Creation events where ‘wbadmin.exe’ is executed with parameter ‘delete catalog -quiet’. This command is not unique for the Faust ransomware, other malware families may also use this command.
Type: ("Process Creation") AND Source.Process.Name:("cmd.exe") AND Target.Process.File.Name: ("wbadmin.exe") AND Target.Process.CommandLine: ("delete catalog \-quiet")
The following Threat Hunting query will return File Create events where file is created with extension ‘faust’. This extension is not common and only seen used by the Faust ransomware encrypted files. Detection at this stage of Faust ransomware execution indicates likely encryption, this query has been included for completeness.
Type: ("File Create") AND Target.File.Ext: ("faust")
The following Threat Hunting query will return File Create events when an executable creates file ‘info.hta’. This is the ransom note file created by the Faust ransomware. This file itself is not malicious and detection at this stage of Faust ransomware execution indicates likely encryption, this query has been included for completeness.
Type: ("File Create") AND Source.Process.File.Ext: ("exe") AND Target.File.Name: ("info.hta")
The following Threat Hunting query will return Process Creation events where ‘mshta.exe’ is executed to open the ‘info.hta’ ransom note files created by Faust ransomware from two file locations (Desktop or C drive). The ‘info.hta’ file itself is not malicious and detection at this stage of Faust ransomware execution indicates likely encryption, this query has been included for completeness.
Type: ("Process Creation") AND Target.Process.File.Name: ("mshta.exe") AND Target.Process.CommandLine: ("\"C\:\\users\\public\\desktop\\info.hta\" \{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\}\{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\} " OR "\"C\:\\info.hta\" \{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\}\{1E460BD7\-F1C3\-4B2E\-88BF\-4E770A288AF5\} ")
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0001 – Initial Access
|
Technique ID |
Technique Description |
Observed Activity |
|
T1566.001 |
Phishing: Spearphishing Attachment |
Phishing email with XLAM document attachment was sent to victims. |
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1204.002 |
User Execution: Malicious File |
The initial XLAM is opened by user and its malicious VBA script is executed, starting the infection chain of Faust ransomware. VBA script is triggered on file open. |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
Faust ransomware uses cmd.exe to execute multiple Windows utilities to implement various other techniques. Details provided with corresponding techniques but cmd processes spawn from malware executables. |
|
T1047 |
Windows Management Instrumentation |
Faust ransomware deletes shadow copies using utility WMIC.exe. The following commandline was used: WMIC.exe shadowcopy delete No obfuscation has been observed. |
TA0003 - Persistence
|
Technique ID |
Technique Description |
Observed Activity |
|
T1547.001 |
Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder |
Faust ransomware creates an entry in registry path HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with a reference to it’s executable. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1140 |
De-obfuscate/Decode Files or Information |
The XLAM document contains VBA macro which contains obfuscated PowerShell code. The intermediate payloads which are downloaded by the malware are also base64 encoded and contain hidden data that can be extracted by searching around the string pattern ‘**bleep**{(.*)}**bleep**’. |
|
T1055 |
Process Injection |
The dropper payload (‘AVG update.exe’) starts an exe ‘SmartScreen Defender Windows.exe’ and then injects downloaded final payload (shellcode) into this process. |
|
T1036.005 |
Masquerading: Match Legitimate Name or Location |
The dropper payload starts an exe ‘SmartScreen Defender Windows.exe’ which has a name like the Microsoft Defender SmartScreen utility. |
|
T1027.004 |
Obfuscated Files or Information: Compile After Delivery |
The dropper ‘AVG update.exe’ uses csc.exe to compile the dummy executable ‘SmartScreen Defender Windows.exe’ from two temporary files its drops. |
TA0011 – Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
The malicious VBA macro embedded in the XLAM document downloads payload using HTTPS requests implemented in PowerShell. The dropper ‘AVG update.exe’ also uses curl to process HTTPS requests. |
|
T1102 |
Web Service |
A legitimate DevOps platform gitea[.]com is used by the Threat Actors to store various obfuscated payloads. |
|
T1105 |
Ingress Tool Transfer |
The malware has a staged dropper which downloads a downloader, a decoy document, and the final ransomware payload. |
TA0040 - Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1468 |
Data Encrypted for Impact |
Faust ransomware encrypts the files on the victim endpoint using the file copy method i.e. an encrypted copy of the file is created, and original file is deleted. |
|
T1490 |
Inhibit System Recovery |
Faust ransomware deletes shadow copies using utility vssadmin.exe and also using wmic. |
IOC
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
1ffb3b11ccaad3ec50fd093e2e0ae40401577305 |
SHA1 Hash |
Installation |
Faust Ransomware executable |
2024-01-26 |
|
Malicious Executable |
17125f4ece6483933eb6646a16cd2859389a938a |
SHA1 Hash |
Installation |
XLAM file with malicious VBA code |
2024-01-26 |
|
Malicious URL |
https://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/cfmifs_CRPT.txt |
URL |
Installation |
Malicious payload |
2024-01-26 |
|
Malicious URL |
https://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/Main%20table.1.xlsx.txt |
URL |
Installation |
Decoy excel payload |
2024-01-26 |
|
Malicious URL |
hxxps://gitea[.]com/JoinPokingo/JingaPol/raw/branch/main/AppVStreamingUX_FST[.]txt |
URL |
Installation |
Obfuscated ransomware payload |
2024-01-26 |
[1] https://www.cloudsek.com/threatintelligence/analysis-of-faust-ransomware-a-variant-of-the-phobos-ran...
[2] https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust
[5] https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust
[6] https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust
