概要
The Fareit malware was discovered in 2012 and has been undergoing evolution to bypass antivirus detection. It is now one of the most successful information stealers deployed in malspam campaigns. The source code of the malware has been leaked on the Internet which enabled any malware author to use it in their attack campaigns.
The current malspam campaign of Fareit involves emails with order confirmation or contract, product inquiry and product order request sent to marketing officers of different companies. The malicious spam uses different file extensions such as .iso, .bat, .com, .cab or .scr attachments. This Trojan-Spyware sends the data it gathers from its victims to a compromised server.
Behavior
- Steals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software
- Steals stored email credentials of different mail clients
- Gets stored information such as user names, passwords, and hostnames from different browsers
- Performs brute forcing capabilities on local accounts based on acquired password list
- Replicates other Remote Desktop Protocol (RDP) utilities’ mutexes to mask execution in the background, then deletes itself after execution
- Downloads additional malware payload
Capabilities
- Information Theft
- Download Routine
Impact
- Violation of user privacy - gathers user credentials and steals user information
Infection Routine
Spam Message Sample
詳情
File Reputation
| Detection | Pattern Version | Release Date |
|---|---|---|
| ENT OPR 15.255.00 | July 24, 2019 |
Predictive Learning Machine
| Detection | Pattern Branch |
|---|---|
| BKDR.Win32.TRX.XXPE50FFF031 | In-the-cloud |
Behavior Monitoring
| URL | Pattern Branch |
|---|---|
| URL Protection | In-the-cloud |
Antispam
| Pattern Version | Release Date |
|---|---|
| AS Pattern 4798 | July 25, 2019 |
Solution Map: What to do?
| Product | Latest Version | Virus Pattern | Antispam | Network Pattern | Behavior Monitoring | Predictive Learning Machine | Web Reputation |
|---|---|---|---|---|---|---|---|
| Apex One | 2019 | Update Pattern via web console | N/A | N/A | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
| OfficeScan | XG | ||||||
| Worry-Free Business Security | Standard (10.0) | ||||||
| Advanced (10.0) | Update pattern via web console | ||||||
| Deep Security | 12.0 | Update pattern via web console | N/A | ||||
| Deep Discovery Email Inspector | 3.5 | Update pattern via web console | Update pattern via web console | N/A | N/A | ||
| InterScan Messaging Security | 9.1 | ||||||
| InterScan Web Security | 6.5 | ||||||
| Deep Discovery Inspector | 5.5 |
Recommendation
- Make sure to always use the latest pattern available to detect the old and new variants of FAREIT malware.
- Refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- You can also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, contact Trend Micro Technical Support.
Threat Report
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/fareit
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojanspy.win32.fareit.thgocai
