Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on FAREIT

    • Updated:
    • 10 Jun 2016
    • Product/Version:
    • Deep Discovery Analyzer 5.5
    • Deep Discovery Email Inspector 2.5
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Hosted Email Security 2.0
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

FAREIT has been a known malware family since 2011. These information stealers are used to download other malware and have been spotted in both Europe and North America.

New variants of this malware are now using a combination of PDF exploits to execute a PowerShell script to perform its malicious routine.

Brute force attacks are also used by this malware to access password-protected shared files. The spyware component also attempts to steal stored account information in certain installed File Transfer Protocol (FTP) clients or file manager software. It also has the capability to steal stored email credentials and information in certain browsers.

FAREIT Infection Chain

Click image to enlarge.

Antispam Pattern

LAYERDETECTIONPATTERN VERSIONRelease Date
EXPOSURESpam mail with macroAS 12821/25/2015
EXPOSURESpam mail with PDFAS 22744/20/2016

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN BRANCHRelease Date
DYNAMICTSPY_FAREIT.SMJR1OPR 12.4193/22/2016
DYNAMICTSPY_FAREIT.SMR1OPR 12.3532/19/2016
DYNAMICTSPY_FAREIT.SMJEOPR 12.2971/25/2016
DYNAMICTSPY_FAREIT.SMXFOPR 12.2891/22/2016
DYNAMICTSPY_FAREIT.SMYOPR 12.2691/12/2016
INFECTIONPDF_FAREIT.AKOPR 12.4754/14/2016
INFECTIONW2KM_FAREIT.ALBOPR 12.4674/14/2016

WRS Pattern (Malicious URL and Classification)

LAYERDetectionClassificationRelease Date
INFECTIONncduganda{blocked}.org/.css/ashok.exeVirus Accomplice4/21/2016
CLEAN-UPkbfvzoboss{blocked}.bid/alpha/gate.phpC&C Server05/15/2016
CLEAN-UPehub46.webhostinghub{blocked}.com/~proven10/.css/ebuka.exeVirus Accomplice3/16/2016
CLEAN-UPur-clinica{blocked}.ru/sites/all/libraries/ckeditor/_source/zto.exeDisease Vector3/4/2016
CLEAN-UPsmsgiant{blocked}.net/.css/chris.exeVirus Accomplice3/29/2016
CLEAN-UPkajeba{blocked}.su/efiles.exeDisease Vector3/9/2016
CLEAN-UPcgu.com{blocked}.es/.razor/cp/panya.exeVirus Accomplice3/22/2016
CLEAN-UPjudysjewels{blocked}.co.uk/system/logs/hsg.exeVirus Accomplice3/28/2016
CLEAN-UPjudysjewels{blocked}.co.uk/system/logs/hsg.exeVirus Accomplice3/28/2016
CLEAN-UPdverikurska{blocked}.ru/system/logs/hsg.exeVirus Accomplice3/28/2016
CLEAN-UPdemo.plazawebsite{blocked}.com/system/logs/hsg.exeVirus Accomplice3/28/2016
CLEAN-UPwillsmanten{blocked}.org.in/BL-0501332.exeVirus Accomplice3/9/2016
CLEAN-UPanonfile{blocked}.xyz/f/7f58d7dddec4b72bab0fb27cd852593e.exeDisease Vector3/8/2016
CLEAN-UPyo-yoll{blocked}.net/magazine/img/chris.exeVirus Accomplice3/7/2016
CLEAN-UPehub46.webhostinghub{blocked}.com/~proven10/.css/ebuka.exeVirus Accomplice3/16/2016
CLEAN-UPncduganda{blocked}.org/.css/awori.exeVirus Accomplice4/18/2016
CLEAN-UPknnew.webri{blocked}.ru/system/logs/ztool.exeVirus Accomplice4/27/2016
CLEAN-UPmf-shop{blocked}.ru/system/logs/ztool.exeVirus Accomplice4/28/2016
CLEAN-UPelstore{blocked}.ml/system/logs/ztool.exeVirus Accomplice4/29/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDetectionPattern VersionRelease Date
DYNAMIC1707LATEST DCT OPRBUILT-IN

DCT Pattern (System Clean Pattern)

LAYERDetectionPattern VersionReleased Date
CLEAN-UPTSC_GENCLEANLATEST DCT OPRBUILT-IN

Network Pattern

LAYERDetectionPattern VersionReleased Date
CLEAN-UPHTTP_FAREIT_REQUESTRR 1.10159.005/17/2016
CLEAN-UPHTTP_FAREIT_REQUEST-4RR 1.10159.005/17/2016
 
Make sure to always use the latest pattern available to detect the old and new variants of FAREIT.
Details
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan10.6 and above










Update Pattern via web console



Update Pattern via web console










Enable Web Reputation Service*



Update Pattern via Web console

Not Applicable		Update Pattern via Web console
Worry Free Business SuiteStandard

Not Applicable
Advanced/MSAUpdate Pattern via web console
Hosted
Deep Security8.0 and above






Not Applicable		Update Pattern via Web consoleNot ApplicableUpdate Pattern via Web console
ScanMailSMEX 10 and later





Not Applicable

Update Pattern via Web console


Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and later

Not Applicable
Update Pattern via web console
DDAN
DDEI
 
* Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

RECOMMENDATIONS

Threat Report

Blog

Premium
Internal
Rating:
Category:
Troubleshoot; SPEC
Solution Id:
1114357
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.