Emerging Threat on FAREIT

- Updated:
- 24 Aug 2017
- Product/Version:
- Deep Discovery Analyzer 5.5
- Deep Discovery Email Inspector 2.5
- Deep Security 10.0
- Deep Security 10.1
- Deep Security 9.0
- Deep Security 9.5
- Deep Security 9.6
- Hosted Email Security 2.0
- InterScan Messaging Security Virtual Appliance 8.2
- InterScan Messaging Security Virtual Appliance 8.5
- InterScan Messaging Security Virtual Appliance 9.0
- InterScan Messaging Security Virtual Appliance 9.1
- InterScan Web Security Virtual Appliance 5.6
- InterScan Web Security Virtual Appliance 6.0
- OfficeScan 10.6
- OfficeScan 11.0
- ScanMail for Lotus Domino 5.0 AIX
- ScanMail for Lotus Domino 5.0 Windows
- ScanMail for Lotus Domino 5.0 zLinux
- Worry-Free Business Security Standard/Advanced 9.0
- Platform:
- N/A N/A

FAREIT has been a known malware family since 2011. These information stealers are used to download other malware and have been spotted in both Europe and North America.

New variants of this malware are now using a combination of PDF exploits to execute a PowerShell script to perform its malicious routine.

Brute force attacks are also used by this malware to access password-protected shared files. The spyware component also attempts to steal stored account information in certain installed File Transfer Protocol (FTP) clients or file manager software. It also has the capability to steal stored email credentials and information in certain browsers.

Click image to enlarge.

Antispam Pattern

LAYER	DETECTION	PATTERN VERSION	Release Date
EXPOSURE	Spam mail with macro	AS 1282	1/25/2015
EXPOSURE	Spam mail with PDF	AS 2274	4/20/2016

VSAPI Pattern (Malicious File Detection)

LAYER	DETECTION	PATTERN BRANCH	Release Date
DYNAMIC	TSPY_FAREIT.SMJR1	OPR 12.419	3/22/2016
DYNAMIC	TSPY_FAREIT.SMR1	OPR 12.353	2/19/2016
DYNAMIC	TSPY_FAREIT.SMJE	OPR 12.297	1/25/2016
DYNAMIC	TSPY_FAREIT.SMXF	OPR 12.289	1/22/2016
DYNAMIC	TSPY_FAREIT.SMY	OPR 12.269	1/12/2016
INFECTION	PDF_FAREIT.AK	OPR 12.475	4/14/2016
INFECTION	W2KM_FAREIT.ALB	OPR 12.467	4/14/2016

WRS Pattern (Malicious URL and Classification)

LAYER	Detection	Classification	Release Date
INFECTION	ncduganda{blocked}.org/.css/ashok.exe	Virus Accomplice	4/21/2016
CLEAN-UP	kbfvzoboss{blocked}.bid/alpha/gate.php	C&C Server	05/15/2016
CLEAN-UP	ehub46.webhostinghub{blocked}.com/~proven10/.css/ebuka.exe	Virus Accomplice	3/16/2016
CLEAN-UP	ur-clinica{blocked}.ru/sites/all/libraries/ckeditor/_source/zto.exe	Disease Vector	3/4/2016
CLEAN-UP	smsgiant{blocked}.net/.css/chris.exe	Virus Accomplice	3/29/2016
CLEAN-UP	kajeba{blocked}.su/efiles.exe	Disease Vector	3/9/2016
CLEAN-UP	cgu.com{blocked}.es/.razor/cp/panya.exe	Virus Accomplice	3/22/2016
CLEAN-UP	judysjewels{blocked}.co.uk/system/logs/hsg.exe	Virus Accomplice	3/28/2016
CLEAN-UP	judysjewels{blocked}.co.uk/system/logs/hsg.exe	Virus Accomplice	3/28/2016
CLEAN-UP	dverikurska{blocked}.ru/system/logs/hsg.exe	Virus Accomplice	3/28/2016
CLEAN-UP	demo.plazawebsite{blocked}.com/system/logs/hsg.exe	Virus Accomplice	3/28/2016
CLEAN-UP	willsmanten{blocked}.org.in/BL-0501332.exe	Virus Accomplice	3/9/2016
CLEAN-UP	anonfile{blocked}.xyz/f/7f58d7dddec4b72bab0fb27cd852593e.exe	Disease Vector	3/8/2016
CLEAN-UP	yo-yoll{blocked}.net/magazine/img/chris.exe	Virus Accomplice	3/7/2016
CLEAN-UP	ehub46.webhostinghub{blocked}.com/~proven10/.css/ebuka.exe	Virus Accomplice	3/16/2016
CLEAN-UP	ncduganda{blocked}.org/.css/awori.exe	Virus Accomplice	4/18/2016
CLEAN-UP	knnew.webri{blocked}.ru/system/logs/ztool.exe	Virus Accomplice	4/27/2016
CLEAN-UP	mf-shop{blocked}.ru/system/logs/ztool.exe	Virus Accomplice	4/28/2016
CLEAN-UP	elstore{blocked}.ml/system/logs/ztool.exe	Virus Accomplice	4/29/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYER	Detection	Pattern Version	Release Date
DYNAMIC	1707	LATEST DCT OPR	BUILT-IN

DCT Pattern (System Clean Pattern)

LAYER	Detection	Pattern Version	Released Date
CLEAN-UP	TSC_GENCLEAN	LATEST DCT OPR	BUILT-IN

Network Pattern

LAYER	Detection	Pattern Version	Released Date
CLEAN-UP	HTTP_FAREIT_REQUEST	RR 1.10159.00	5/17/2016
CLEAN-UP	HTTP_FAREIT_REQUEST-4	RR 1.10159.00	5/17/2016

Make sure to always use the latest pattern available to detect the old and new variants of FAREIT.

Major Products	Versions	Virus Pattern	Behavior Monitoring	Web Reputation	DCT Pattern	Antispam Pattern	Network Pattern
OfficeScan	10.6 and above	Update Pattern via web console	Update Pattern via web console	Enable Web Reputation Service*	Update Pattern via Web console	Not Applicable	Update Pattern via Web console
Worry Free Business Suite	Standard	Not Applicable
Advanced/MSA	Update Pattern via web console
Hosted
Deep Security	8.0 and above	Not Applicable	Update Pattern via Web console	Not Applicable	Update Pattern via Web console
ScanMail	SMEX 10 and later	Not Applicable	Update Pattern via Web console	Not Applicable
SMD 5 and later
InterScan Messaging	IMSVA 8.0 and above
InterScan Web	IWSVA 6.0 and later
Deep Discovery	DDI 3.0 and later	Not Applicable	Update Pattern via web console
DDAN
DDEI

Major Products

Versions

Virus Pattern

Behavior Monitoring

Web Reputation

DCT Pattern

Antispam Pattern

Network Pattern

OfficeScan

10.6 and above

Update Pattern via web console

Enable Web Reputation Service*

Update Pattern via Web console

Not Applicable

Update Pattern via Web console

Worry Free Business Suite

Standard

Not Applicable

Advanced/MSA

Update Pattern via web console

Hosted

Deep Security

8.0 and above

Not Applicable

Update Pattern via Web console

Not Applicable

Update Pattern via Web console

ScanMail

SMEX 10 and later

Not Applicable

Update Pattern via Web console

Not Applicable

SMD 5 and later

InterScan Messaging

IMSVA 8.0 and above

InterScan Web

IWSVA 6.0 and later

Deep Discovery

DDI 3.0 and later

Not Applicable

Update Pattern via web console

DDAN

DDEI

Need More Help?

Emerging Threat on FAREIT