FAREIT has been a known malware family since 2011. These information stealers are used to download other malware and have been spotted in both Europe and North America.
New variants of this malware are now using a combination of PDF exploits to execute a PowerShell script to perform its malicious routine.
Brute force attacks are also used by this malware to access password-protected shared files. The spyware component also attempts to steal stored account information in certain installed File Transfer Protocol (FTP) clients or file manager software. It also has the capability to steal stored email credentials and information in certain browsers.
Click image to enlarge.
Antispam Pattern
| LAYER | DETECTION | PATTERN VERSION | Release Date |
|---|---|---|---|
| EXPOSURE | Spam mail with macro | AS 1282 | 1/25/2015 |
| EXPOSURE | Spam mail with PDF | AS 2274 | 4/20/2016 |
VSAPI Pattern (Malicious File Detection)
| LAYER | DETECTION | PATTERN BRANCH | Release Date |
|---|---|---|---|
| DYNAMIC | TSPY_FAREIT.SMJR1 | OPR 12.419 | 3/22/2016 |
| DYNAMIC | TSPY_FAREIT.SMR1 | OPR 12.353 | 2/19/2016 |
| DYNAMIC | TSPY_FAREIT.SMJE | OPR 12.297 | 1/25/2016 |
| DYNAMIC | TSPY_FAREIT.SMXF | OPR 12.289 | 1/22/2016 |
| DYNAMIC | TSPY_FAREIT.SMY | OPR 12.269 | 1/12/2016 |
| INFECTION | PDF_FAREIT.AK | OPR 12.475 | 4/14/2016 |
| INFECTION | W2KM_FAREIT.ALB | OPR 12.467 | 4/14/2016 |
WRS Pattern (Malicious URL and Classification)
| LAYER | Detection | Classification | Release Date |
|---|---|---|---|
| INFECTION | ncduganda{blocked}.org/.css/ashok.exe | Virus Accomplice | 4/21/2016 |
| CLEAN-UP | kbfvzoboss{blocked}.bid/alpha/gate.php | C&C Server | 05/15/2016 |
| CLEAN-UP | ehub46.webhostinghub{blocked}.com/~proven10/.css/ebuka.exe | Virus Accomplice | 3/16/2016 |
| CLEAN-UP | ur-clinica{blocked}.ru/sites/all/libraries/ckeditor/_source/zto.exe | Disease Vector | 3/4/2016 |
| CLEAN-UP | smsgiant{blocked}.net/.css/chris.exe | Virus Accomplice | 3/29/2016 |
| CLEAN-UP | kajeba{blocked}.su/efiles.exe | Disease Vector | 3/9/2016 |
| CLEAN-UP | cgu.com{blocked}.es/.razor/cp/panya.exe | Virus Accomplice | 3/22/2016 |
| CLEAN-UP | judysjewels{blocked}.co.uk/system/logs/hsg.exe | Virus Accomplice | 3/28/2016 |
| CLEAN-UP | judysjewels{blocked}.co.uk/system/logs/hsg.exe | Virus Accomplice | 3/28/2016 |
| CLEAN-UP | dverikurska{blocked}.ru/system/logs/hsg.exe | Virus Accomplice | 3/28/2016 |
| CLEAN-UP | demo.plazawebsite{blocked}.com/system/logs/hsg.exe | Virus Accomplice | 3/28/2016 |
| CLEAN-UP | willsmanten{blocked}.org.in/BL-0501332.exe | Virus Accomplice | 3/9/2016 |
| CLEAN-UP | anonfile{blocked}.xyz/f/7f58d7dddec4b72bab0fb27cd852593e.exe | Disease Vector | 3/8/2016 |
| CLEAN-UP | yo-yoll{blocked}.net/magazine/img/chris.exe | Virus Accomplice | 3/7/2016 |
| CLEAN-UP | ehub46.webhostinghub{blocked}.com/~proven10/.css/ebuka.exe | Virus Accomplice | 3/16/2016 |
| CLEAN-UP | ncduganda{blocked}.org/.css/awori.exe | Virus Accomplice | 4/18/2016 |
| CLEAN-UP | knnew.webri{blocked}.ru/system/logs/ztool.exe | Virus Accomplice | 4/27/2016 |
| CLEAN-UP | mf-shop{blocked}.ru/system/logs/ztool.exe | Virus Accomplice | 4/28/2016 |
| CLEAN-UP | elstore{blocked}.ml/system/logs/ztool.exe | Virus Accomplice | 4/29/2016 |
AEGIS Pattern (Behavior Monitoring Pattern)
| LAYER | Detection | Pattern Version | Release Date |
|---|---|---|---|
| DYNAMIC | 1707 | LATEST DCT OPR | BUILT-IN |
DCT Pattern (System Clean Pattern)
| LAYER | Detection | Pattern Version | Released Date |
|---|---|---|---|
| CLEAN-UP | TSC_GENCLEAN | LATEST DCT OPR | BUILT-IN |
Network Pattern
| LAYER | Detection | Pattern Version | Released Date |
|---|---|---|---|
| CLEAN-UP | HTTP_FAREIT_REQUEST | RR 1.10159.00 | 5/17/2016 |
| CLEAN-UP | HTTP_FAREIT_REQUEST-4 | RR 1.10159.00 | 5/17/2016 |
Solution Map - What should customers do?
| Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
|---|---|---|---|---|---|---|---|
| OfficeScan | 10.6 and above | Update Pattern via web console | Update Pattern via web console | Enable Web Reputation Service* | Update Pattern via Web console | Not Applicable | Update Pattern via Web console |
| Worry Free Business Suite | Standard | Not Applicable | |||||
| Advanced/MSA | Update Pattern via web console | ||||||
| Hosted | |||||||
| Deep Security | 8.0 and above | Not Applicable | Update Pattern via Web console | Not Applicable | Update Pattern via Web console | ||
| ScanMail | SMEX 10 and later | Not Applicable | Update Pattern via Web console | Not Applicable | |||
| SMD 5 and later | |||||||
| InterScan Messaging | IMSVA 8.0 and above | ||||||
| InterScan Web | IWSVA 6.0 and later | ||||||
| Deep Discovery | DDI 3.0 and later | Not Applicable | Update Pattern via web console | ||||
| DDAN | |||||||
| DDEI |
RECOMMENDATIONS
- Recommendations on how to best protect your network using Trend Micro products
- Submitting suspicious or undetected virus for file analysis to Technical Support using Threat Query Assessment
Threat Report
- Trend Micro Threat Encyclopedia: PDF_FAREIT.BYX
- Trend Micro Threat Encyclopedia: W2KM_FAREIT.ALB
- Trend Micro Threat Encyclopedia: TSPY_FAREIT.YYSUB
- Trend Micro Threat Encyclopedia: TSPY_FAREIT.ALA
Blog
