Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on FAREIT Resurgence

    • Updated:
    • 26 Sep 2017
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 11.0
    • OfficeScan XG.All
    • ScanMail for IBM Domino 5.0 AIX
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • N/A N/A
Summary

FAREIT is an info-stealing malware that collects sensitive information from the infected system and sends the gathered data to a remote server.

FAREIT_infection diagram

FAREIT Infection Diagram

VSAPI Pattern (Malicious File Detection)

LAYERPATTERNPATTERN BRANCH/VERSIONReleased date/time (GMT+8)
InfectionTSPY_FAREIT.SMBD13.645.00/9/8/2017
InfectionTSPY_VBFAREIT.SM113.643.009/7/2017
InfectionTSPY_FAREIT.AUYWC13.637.009/4/2017
InfectionTSPY_FAREIT.IDV13.629.008/31/2017
InfectionTSPY_FAREIT.AUSYVZ16.617.008/25/2017
InfectionTSPY_FAREIT.IDU13.615.008/24/2017
InfectionTSPY_FAREIT.AUSYVX13.613.008/23/2017
InfectionBKDR_TOFSEE.SMF13.577.008/5/2017
InfectionTSPY_FAREIT.AUSYWA13.535.007/15/2017
InfectionTSPY_FAREIT.AUSYWB13.529.007/12/2017
InfectionTSPY_FAREIT.AUSYVW13.517.007/6/2017
 
BKDR_TOFSEE.SMF detects similarly packed FAREIT malwares.

TRENDX Detection

FAREIT Detections

● BKDR.Win32.TRX.XXPE002FF018
● Ransom.Win32.TRX.XXPE002FF018
● TROJ.Win32.TRX.XXPE002FF018
● TROJ.Win32.TRX.XXPE002FF019
● TROJ.Win32.TRX.XXPE002FF020
● TROJ.Win32.TRX.XXPE002FF021
● TROJ.Win32.TRX.XXPE002FF022
● TROJ.Win32.TRX.XXPE002FF023
● TROJ.Win32.TRX.XXPE002FF024
● TROJ.Win32.TRX.XXPE002FF025
● TROJ.Win32.TRX.XXPE002FF026

● TROJ.Win32.TRX.XXPE002FF027
● TROJ.Win32.TRX.XXPE002FF028
● TROJ.Win32.TRX.XXPE002FF029
● TROJ.Win32.TRX.XXPE002FF030
● TROJ.Win32.TRX.XXPE002FF031
● TROJ.Win32.TRX.XXPE002FF032
● TROJ.Win32.TRX.XXPE002FF033
● TROJ.Win32.TRX.XXPE002FF034
● TROJ.Win32.TRX.XXPE002FF035
● TSPY.Win32.TRX.XXPE002FF018

WEB REPUTATION (Malicious URLs and Classification)

CategoryURLRatingBlocking Date (GMT+8)
EXPOSUREhxxp://91[.]220[.]163[.]21/ponny.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://tartakpiotrkow[.]com:80/.cache/en/apos.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://bhoopati[.]com/pro/Docsx.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://tartakpiotrkow[.]com:80/.cache/en/pan.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://ativat[.]com/www.google-analytics[.]com/googlanalytics/micro.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://danatalmasia[.]com/udplz/bxn0udkplc/gate.phpC&C Server9/5/2017
EXPOSUREhxxp://tartakpiotrkow[.]com:80/.cache/en/apos2.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://tartakpiotrkow[.]com/.cache/en/apos2.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://91[.]220[.]163[.]21/ponny.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://tartakpiotrkow[.]com:80/.cache/en/apos.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://bhoopati[.]com/pro/Docsx.exeMalware Accomplice9/5/2017
EXPOSUREhxxp://tartakpiotrkow[.]com:80/.cache/en/aluko.exeMalware Accomplice9/4/2017
EXPOSUREhxxp://nohackme.dlinkddns[.]com/malwaresamples/123456/0bd0353d625bd52ed9d3c60cf80a21efMalware Accomplice9/4/2017
EXPOSUREhxxp://nohackme.dlinkddns[.]com/malwaresamples/123456/4df2fde6fcd7ed5591cc99ebb9486ea5Malware Accomplice9/4/2017
EXPOSUREhxxp://tartakpiotrkow[.]com/.cache/en/apos.exeMalware Accomplice9/4/2017
EXPOSUREhxxp://wxbrnads[.]com/jazy/boxyjazy.exeMalware Accomplice9/3/2017
EXPOSUREhxxp://tartakpiotrkow[.]com/.cache/en/boss.exeMalware Accomplice9/2/2017
EXPOSUREhxxp://whizzpackage[.]com/dp/adm/adm1/wotbrut.exeMalware Accomplice9/1/2017
EXPOSUREhxxp://akva-center[.]ru/file/xxxxxxxx.exeMalware Accomplice9/1/2017
EXPOSUREhxxp://w_ww.styrenpack[.]com:80/exploitpony/Doc-28082017PNNY.exeMalware Accomplice, Disease Vector8/29/2017
EXPOSUREhxxp://72[.]167[.]46[.]60/atoz/121.docDisease Vector5/23/2017
EXPOSUREhxxp://hepbetretgot[.]com/Malware Accomplice3/8/2017

AEGIS Pattern (Behavior Monitoring Pattern)

LayerDetectionReleased date/time (GMT+8)
AegisTMTD 1707/1707TReleased in 2015

ANTISPAM Pattern

LayerDetectionPattern branch/versionReleased date/time (GMT+8)
ArrivalSpam MailAS232989/1/2017
 
Make sure to always use the latest pattern available to detect the old and new variants of FAREIT.
Details
Public

Solution Map

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern

OfficeScan

11 SP1 and above












Update pattern via web console.



Update pattern via web console.












Enable Web Reputation Service*.




Update pattern via web console.

(not applicable)
Update pattern via web console.

Worry Free Business Suite
Standard
(not applicable)
Advanced/MSAUpdate pattern via web console.
Hosted

Deep Security

8.0 and above







(not applicable)
Update pattern via web console.
(not applicable)
Update pattern via web console.


ScanMail
SMEX 10 and later





(not applicable)


Update pattern via web console.



(not applicable)
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later

Deep Discovery
DDI 3.0 and later
(not applicable)
Update pattern via web console.
 
* Refer to the product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services.

For further information, refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.

Also visit Trend Micro's Threat Encyclopedia for further details on TSPY_FAREIT.AUSYVS.

Premium
Internal
Rating:
Category:
Troubleshoot; Remove a Malware / Virus; SPEC
Solution Id:
1118407
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.