29 January 2024

Navigating the Shifting Tides: Faust Ransomware and the Evolving Face of Cybersecurity Threats

In the relentless world of cybersecurity, staying one step ahead of malicious actors is an ongoing challenge. Recent developments have brought to light a new player in the cyber threat arena: Faust, a variant of the notorious Phobos ransomware family. Beyond Faust, the landscape is rife with the emergence of other ransomware gangs such as Albabat, Kasseika, and Kuiper, each introducing unique challenges to the cybersecurity paradigm. This blog aims to delve into the intricacies of Faust while shedding light on the broader challenges posed by these evolving threats.

1. Faust Ransomware: A New Phobos Variant

Propagation Method

Faust distinguishes itself through its sophisticated propagation method. Cybersecurity researchers at Fortinet FortiGuard Labs have identified its distribution through Microsoft Excel documents containing Visual Basic for Applications (VBA) scripts. This method adds a layer of complexity to the attack, making it crucial for organizations to understand and fortify their defenses against such vectors.

Gitea Service Exploitation

One of the intriguing aspects of Faust is its utilization of the Gitea service by attackers. This service is employed to store malicious files encoded in Base64, creating a delivery mechanism for the ransomware. Once injected into a system's memory, these files initiate a file encryption attack. This showcases the adaptability and resourcefulness of cybercriminals in utilizing legitimate services for malicious purposes.

Active Since 2022

Unlike many ransomware variants that burst onto the scene with a specific target in mind, Faust has been active since 2022. What makes this noteworthy is its indiscriminate nature – it does not seem to have specific industry or regional targets. This indiscriminate approach poses a considerable challenge for organizations worldwide, emphasizing the importance of a robust, universally applicable cybersecurity posture.

2. Attack Chain Analysis

XLAM Document Vector

The Faust attack chain begins with an XLAM document, a seemingly innocuous file that, when opened, sets the wheels of the attack in motion. This document is not just a carrier; it acts as a vector for the malware, downloading Base64-encoded data from the Gitea service. Understanding and monitoring such entry points is crucial for preventing the initial infiltration of ransomware.

AVG AntiVirus Software Masquerade

The binary retrieved from the Gitea service goes a step further in its deception. It masquerades as an updater for AVG AntiVirus software, a common and trusted application. This tactic plays on users' trust in legitimate software updates, adding a social engineering element to the attack. Organizations must educate users on the importance of verifying software updates from official sources to mitigate this risk.

Fileless Attack Techniques

What sets Faust apart is its adept use of fileless attack techniques. This variant showcases the ability to maintain persistence in an environment, creating multiple threads for efficient execution. Fileless attacks, which operate exclusively in memory, often evade traditional antivirus measures, necessitating a more sophisticated and multi-layered security approach.

3. New Ransomware Families on the Horizon

Albabat, Kasseika, Kuiper

Beyond Faust, the cybersecurity landscape is witnessing the emergence of new ransomware families, each with its unique modus operandi. Albabat, for instance, stands out as a Rust-based malware distributed under the guise of fraudulent software. Its camouflage includes posing as a fake Windows 10 digital activation tool and a cheat program for the Counter-Strike 2 game.

Kuiper, on the other hand, is a GoLang-based ransomware attributed to a threat actor named RobinHood. What makes Kuiper noteworthy is its cross-platform capabilities. Leveraging the concurrent nature of GoLang, Kuiper avoids common problems associated with multiple threads, demonstrating the adaptability and efficiency of modern ransomware operations.

NONAME: Imitating the LockBit Group

NONAME takes a different approach by imitating the data leak site of the LockBit group. This raises intriguing questions about its potential connection to LockBit or its collection of leaked databases shared by LockBit on the official leak portal. The imitation tactic adds a layer of complexity to attribution efforts, making it challenging for cybersecurity researchers to definitively link ransomware groups.

4. Connections and Overlaps

3AM Ransomware

One of the fascinating aspects of the evolving cyber threat landscape is the interconnectedness of ransomware families. The blog highlights a connection between the nascent 3AM ransomware and the Royal/BlackSuit ransomware. This connection is not arbitrary; it is based on a "significant overlap" in tactics and communication channels. Such overlaps offer cybersecurity researchers valuable insights into the evolving strategies of ransomware actors.

TeamViewer as an Initial Access Vector

Ransomware actors are displaying a renewed interest in using TeamViewer as an initial access vector. This tactic allows them to breach target environments and attempt to deploy encryptors based on the LockBit ransomware builder. The use of legitimate remote desktop tools as an attack vector underscores the importance of securing all potential entry points, even those traditionally deemed secure.

5. LockBit 3.0 Resurfaces

Distribution Through Disguised Resumes

LockBit 3.0, a familiar adversary in the cybersecurity realm, has made a resurgence. In recent weeks, it has been distributed through Microsoft Word files disguised as resumes. This specific targeting of entities in South Korea adds a geopolitical dimension to the threat landscape. The use of seemingly innocuous files as carriers emphasizes the need for heightened vigilance in handling email attachments and documents.


In conclusion, as we reflect on the intricate landscape of cybersecurity threats illuminated by the Faust ransomware and its counterparts, the call for resilient defense strategies resonates. In the ever-changing cybersecurity arena, digiALERT acknowledges the dynamic nature of threats and underscores the importance of proactive defense mechanisms. The Faust ransomware saga serves as a stark reminder of the fluidity of the cybersecurity landscape, urging organizations to adopt multi-layered security approaches that not only anticipate known threats but also adapt to emerging tactics. At digiALERT, we advocate for a collaborative defense ecosystem, recognizing that the interconnected nature of cyber threats demands a united front against adversaries. The rise of new ransomware families, exemplified by Albabat, Kasseika, and Kuiper, signals a paradigm shift, prompting digiALERT to stay at the forefront of threat intelligence. The resurgence of LockBit 3.0, distributed through disguised resumes, reinforces the need for continuous education and awareness programs to empower users against evolving attack vectors. As organizations navigate these shifting tides, digiALERT stands as a trusted ally, offering innovative solutions to detect, analyze, and respond to emerging threats. Together, we forge a path towards a secure digital future, empowering organizations to meet the challenges of an ever-evolving cybersecurity landscape with resilience and confidence.

Read 181 times


digiALERT is a rapidly growing new-age premium cyber security services firm. We are also the trusted cyber security partner for more than 500+ enterprises across the globe. We are headquartered in India, with offices in Santa Clara, Sacremento , Colombo , Kathmandu, etc. We firmly believe as a company, you focus on your core area, while we focus on our core area which is to take care of your cyber security needs.