Jan 29, 2024NewsroomRansomware / Malware

Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust.

Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said it’s being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script.

“The attackers utilized the Gitea service to store several files encoded in Base64, each carrying a malicious binary,” security researcher Cara Lin said in a technical report published last week. “When these files are injected into a system’s memory, they initiate a file encryption attack.”

Faust is the latest addition to several ransomware variants from the Phobos family, including Eking, Eight, Elbie, Devos, and 8Base. It’s worth noting that Faust was previously documented by Cisco Talos in November 2023.

The cybersecurity firm described the variant as active since 2022 and “does not target specific industries or regions.”

The attack chain commences with an XLAM document that, when opened, downloads Base64-encoded data from Gitea in order to save a harmless XLSX file, while also stealthily retrieving an executable that masquerades as an updater for the AVG AntiVirus software (“AVG updater.exe”).

The binary, for its part, functions as a downloader to fetch and launch another executable named “SmartScreen Defender Windows.exe” in order to kick-start its encryption process by employing a fileless attack to deploy the malicious shellcode.

“The Faust variant exhibits the ability to maintain persistence in an environment and creates multiple threads for efficient execution,” Lin said.

The development comes as new ransomware families such as Albabat (aka White Bat), Kasseika, Kuiper, Mimus, and NONAME have gained traction, with the former a Rust-based malware that’s distributed in the form of fraudulent software such as a fake Windows 10 digital activation tool and a cheat program for the Counter-Strike 2 game.

Trellix, which examined the Windows, Linux, and macOS versions of Kuiper earlier this month, attributed the Golang-based ransomware to a threat actor named RobinHood, who first advertised it on underground forums in September 2023.

“The concurrency focused nature of Golang benefits the threat actor here, avoiding race conditions and other common problems when dealing with multiple threads, which would have otherwise been a (near) certainty,” security researcher Max Kersten said.

“Another factor that the Kuiper ransomware leverages, which is also a reason for Golang’s increased popularity, are the language’s cross-platform capabilities to create builds for a variety of platforms. This flexibility allows attackers to adapt their code with little effort, especially since the majority of the code base (i.e., encryption-related activity) is pure Golang and requires no rewriting for a different platform.”

NONAME is also noteworthy for the fact that its data leak site imitates that of the LockBit group, raising the possibility that it could either be another LockBit or that it collects leaked databases shared by LockBit on the official leak portal, researcher Rakesh Krishnan pointed out.

The findings follow a report from French cybersecurity company Intrinsec that connected the nascent 3AM (also spelled ThreeAM) ransomware to the Royal/BlackSuit ransomware, which, in turn, emerged following the shutdown of the Conti cybercrime syndicate in May 2022.

The links stem from a “significant overlap” in tactics and communication channels between 3 AM ransomware and the “shared infrastructure of ex-Conti-Ryuk-TrickBot nexus.”

That’s not all. Ransomware actors have been observed once again using TeamViewer as an initial access vector to breach target environments and attempt to deploy encryptors based on the LockBit ransomware builder, which leaked in September 2022.

“Threat actors look for any available means of access to individual endpoints to wreak havoc and possibly extend their reach further into the infrastructure,” cybersecurity firm Huntress said.

In recent weeks, LockBit 3.0 has also been distributed in the form of Microsoft Word files disguised as resumes targeting entities in South Korea, according to the AhnLab Security Intelligence Center (ASEC).

In nearly every segment of our lives, AI (artificial intelligence) now makes a significant impact: It can deliver better healthcare diagnoses and treatments; detect and reduce the risk of financial fraud; improve inventory management; and serve up the right recommendation for a streaming movie on Friday night. However, one can also make a strong case that some of AI’s most significant impacts are in cybersecurity.

AI’s ability to learn, adapt, and predict rapidly evolving threats has made it an indispensable tool in protecting the world’s businesses and governments. From basic applications like spam filtering to advanced predictive analytics and AI-assisted response, AI serves a critical role on the front lines, defending our digital assets from cyber criminals.

The future for AI in cybersecurity is not all rainbows and roses, however. Today we can see the early signs of a significant shift, driven by the democratization of AI technology. While AI continues to empower organizations to build stronger defenses, it also provides threat actors with tools to craft more sophisticated and stealthy attacks.

In this blog, we’ll review how the threat landscape has changed, trace the evolving role AI plays in cyber defense, and consider the implications for defending against attacks of the future.

AI in Cybersecurity: The First Wave (2000–2010)

As we welcomed the new millennium, the initial stages of digital transformation began affecting our personal and professional lives. In most organizations, knowledge workers did their jobs within tightly managed IT environments, leveraging desktop and laptop PCs, along with on-premises data centers that formed the backbone of organizational IT infrastructure.

The cyber threats that gained prominence at this time primarily focused on sowing chaos and gaining notoriety. The early 2000s witnessed the birth of malware like ILOVEYOU, Melissa, and MyDoom, which spread like wildfire and caused significant global disruptions. As we moved toward the mid-2000s, the allure of financial gains led to a proliferation of phishing schemes and financial malware. The Zeus banking trojan emerged as a significant threat, stealthily stealing banking credentials of unsuspecting users.

Organizations relied heavily on basic security controls, such as signature-based antivirus software and firewalls, to try and fend off intruders and protect digital assets. The concept of network security began to evolve, with improved intrusion detection systems making their way into the cybersecurity arsenal. Two-factor authentication (2FA) gained traction at this time, adding an extra layer of security for sensitive systems and data.

This is also when AI first began to show significant value for defenders. As spam email volumes exploded, unsolicited — and often malicious — emails clogged mail servers and inboxes, tempting users with get-rich-quick schemes, illegal pharmaceuticals, and similar lures to trick them into revealing valuable personal information. While AI still sounded like science fiction to many in IT, it proved an ideal tool to rapidly identify and quarantine suspicious messages with previously unimaginable efficiency, helping to significantly reduce risk and reclaim lost productivity. Although in its infancy, AI showed a glimpse of its potential to help organizations protect themselves against rapidly evolving threats, at scale.

AI in Cybersecurity: The Second Wave (2010–2020)

As we transitioned into the second decade of the millennium, the makeup of IT infrastructure changed significantly. The explosion of SaaS (software-as-a-service) applications, cloud computing, BYOD (bring your own device) policies, and the emergence of shadow IT made the IT landscape more dynamic than ever. At the same time, it created an ever-expanding attack surface for threat actors to explore and exploit.

Threat actors became more sophisticated, and their objectives broadened; intellectual property theft, infrastructure sabotage, and monetizing attacks on a larger scale became common. More organizations became aware of nation-state threats, driven by well-funded and highly sophisticated adversaries. This in turn drove a need for equally sophisticated defenses that could autonomously learn fast enough to stay a step ahead. Incidents like the Stuxnet worm targeting Iranian nuclear facilities, and devastating attacks against high-profile companies like Target and Sony Pictures, gained notoriety and underscored the escalating stakes.

At the same time, the vulnerability of supply chains came into sharp focus, exemplified by the SolarWinds breach that had ramifications for tens of thousands of organizations around the world. Perhaps most notably, ransomware and wiper attacks surged with notorious strains like WannaCry and NotPetya wreaking havoc globally. While relatively easy to detect, the volumes of these threats demanded defenses that could scale with speed and accuracy at levels that far outstripped a human analyst’s capabilities.

During this time, AI emerged as an indispensable tool for defenders. Cylance led the charge, founded in 2012 to replace heavyweight legacy antivirus software with lightweight machine-learning models. These models were trained to identify and stop rapidly evolving malware quickly and efficiently. AI’s role in cybersecurity continued to expand, with machine-learning techniques employed for detecting anomalies, flagging unusual patterns or behaviors indicative of a sophisticated attack, and performing predictive analytics to foresee and prevent possible attack vectors.

AI in Cybersecurity: The Third Wave (2020-Present)

Today, a profound shift is unfolding around the use of AI in cybersecurity. The ubiquity of remote work, coupled with hyperconnected and decentralized IT systems, has blurred the traditional security perimeter. With a surge in IoT (Internet of Things) and connected devices —from smart homes to smart cars and entire cities — the attack surface has expanded exponentially.

Amidst this backdrop, the role of AI has evolved from being purely a defensive mechanism to a double-edged sword, wielded by adversaries as well. While commercial generative AI tools, such as ChatGPT, have attempted to build guardrails to prevent bad actors from using the technology for malicious purposes, adversarial tools such as WormGPT have emerged to fill the gap for attackers.

Potential examples include:

• AI-Generated Phishing Campaigns: With the assistance of generative AI, attackers can now craft highly convincing phishing emails, making these deceptive messages increasingly difficult to identify. Recent research also confirms that generative AI can save attackers days of work on each phishing campaign they create.
• AI-Assisted Target Identification: By leveraging machine-learning algorithms to analyze social media and other online data, attackers can more efficiently identify high-value targets and customize attacks accordingly.
• AI-Driven Behavior Analysis: Malware empowered by AI can learn typical user or network behaviors, enabling attacks or data exfiltration that evades detection by better mimicking normal activity.
• Automated Vulnerability Scanning: AI-powered reconnaissance tools may facilitate autonomous scanning of networks for vulnerabilities, choosing the most effective exploit automatically.
• Smart Data-Sorting: Instead of mass-copying all available data, AI can identify and select the most valuable information to exfiltrate, further reducing chances of detection.
• AI-Assisted Social Engineering: The use of AI-generated deepfake audio or video in vishing attacks can convincingly impersonate trusted individuals, lending greater credibility to social engineering attacks that persuade employees to reveal sensitive information.

The unfolding of this third wave of AI underscores a crucial inflection point in cybersecurity. The dual use of AI — both as a shield and a spear — highlights the need for organizations to stay informed.

Conclusion

The evolutionary journey of cybersecurity emphasizes the relentless ingenuity of threat actors, and the need for defenders to keep well-equipped and informed. As we transition into a phase where AI serves both as an ally and a potential adversary, the story becomes more complex and fascinating.

Cylance® AI has been there since the beginning, as a pioneer in AI-driven cybersecurity and a proven leader in the market. Looking ahead, we at BlackBerry® are continually pushing the boundaries of our Cylance AI technology to explore what’s next on the horizon. Keep an eye out for our upcoming blog where we will delve into how generative AI is entering the scene as a powerful tool for defenders, offering a new lens to anticipate and counter the sophisticated threats of tomorrow.

The future holds great promise for those prepared to embrace the evolving tapestry of AI-powered cybersecurity.

For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.

Related Reading

Note – This article has been expertly written by Jay Goodman, Director of Product Marketing at BlackBerry.