By Ian Lagrazon and Jaaziel Carlos
In 2014, we began seeing attacks that abused the Windows PowerShell. Back then, it was uncommon for malware to use this particular feature of Windows. However, there are several good reasons for an attacker to use this particular feature.
First, users cannot easily spot any malicious behavior since PowerShell runs in the background. Secondly, PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present. This makes it a powerful tool for attackers.
Last March 2016, we noted that PowerWare crypto-ransomware also abused PowerShell. Recently, we spotted a new attack where PowerShell was abused to deliver a FAREIT variant. This particular family of information stealers has been around since 2011.
New spin on common delivery methods
Following the success of another online banking TrojanVAWTRAK, the latest FAREIT strain also employed malicious macros for its delivery mechanism. Like its earlier variants, FAREIT used spam mail as an entry point to the system. However, users can either received a spam mail with a document that has malicious .PDF file or a Word document file with malicious macro codes.
Figure 1. FAREIT-related spam emails used typical subjects like billing reminder and purchase order
Figure 2. Document containing malicious macro
Figure 3. Document with malicious PDF file
When users run the PDF, it will execute the PowerShell to perform its malicious routine. Based on our analysis, when users open the PDF file, the malicious PDF will utilize OpenAction to execute its malicious code. TSPY_FAREIT is downloaded on the systems, stealing a plethora of information such as stored information (usernames, passwords) in certain browsers, stored email credentials, and bitcoin-related details, among others.
If the recipients get emails with documents containing malicious macros, enabling the macro feature will result to the execution of the malware on the system as well. While there’s no unique routine for the final FAREIT payload, we can see how cyber crooks employed these Microsoft features to carry out their nefarious activities.
Securing your data
We often see threats that either use macros or PowerShell only. However, FAREIT like PowerWare abused both macros and PowerShell. The only difference is that PowerWare used macros first then it will run the PowerShell where the parameters for the malicious code can be found. FAREIT’s malicious PDF used the OpenAction to directly run PowerShell with the parameters containing the malicious code.
On separate instances, cyber crooks have proven the effectiveness of using these tactics either for social engineering purposes or for further infection. Macros require user’s intervention but with efficient lures, they are able to trick those (users) into executing the malware. Both PDF and macros are also used in some organizations and enterprises, thus employees who received such FAREIT-related spam emails won’t suspect anything malicious.
Users are advised to be wary in opening emails even if these came from seemingly known sources. Installing security software on the system that can detect these spammed messages and malicious files can secure users from possible information theft.
Trend Micro endpoint solutions such as Trend Micro™ Security , Trend Micro ™ Smart Protection Suites , and Trend Micro Worry-Free™ Business Security can protect users systems from FAREIT malware by detecting the malicious files and related spam emails.
TippingPoint also mitigates this threat by making the following filters available to its customers:
- 9536: Backdoor: Zeus Botnet Command and Control Phone Home Request
- 16662: HTTP: Possible Malware Communication Attempt
With additional insight by Jack Tang
Here are the related SHA1 hashes to this attack:
- ACAEB29ABF2458B862646366917F44E987176EC9: PDF_FAREIT.AK
- CFD1A77155B9AF917E22A8AC0FE16EEB26E00C6E: PDF_FAREIT.BYX
- DA3B7C89EC9CA4157AF52D40DB76B2C23A62A15E: PDF_FAREIT.BYX
- 03798dc7221efdcec95b991735f38b49dff29542: W2KM_FAREIT.ALB
- 04FFFC28BED615D7DA50C0286290D452B9C5EE50: TSPY_FAREIT.YYSUT
- 125156E24958F18AD86CC406868948DC100791D4: TSPY_FAREIT.YYSUT
- 4F739261372D4ADCE7F152F16FBF20A5C18B8903: TSPY_FAREIT.YYSUT