Blog

You have a package that's trying to be deliver itself to you, but it's not shipping via FedEx. The latest version from the malware family known as "Fareit" is circulating via email and posing as a FedEx shipment notification. The messages appear to contain a shipping receipt for a package that the courier was unable to deliver. The attached file, while it does have .PDF in the name, is actually a file archive utilizing the open source file archiver 7zip. Inside the compressed archive, you will find an executable file (.exe) that contains the Fareit malware.

The Fareit malware family has been circulating for a few years now. It is an information stealer that targets FTP credentials, email passwords and browser stored passwords. During our dynamic analysis, we observed all of the above being performed after the malware disabled local security tools. After scrapping the machine for the before mentioned credentials, it established an outbound connection and pulled down a copy of the ever-popular Zeus Trojan. Once the Zeus infection is in place, the attacker can gather more credentials such as banking information. In addition to having their data stolen, the victim's machine is also vulnerable to being used to perpetuate more attacks or in future DDoS attacks.

With ransomware attacks garnering all of the attention lately, it’s easy to forget that information stealing malware like this can be equally or in many cases-- far more damaging. The impact from suffering a ransomware attack and finding all of your files have been encrypted will depend greatly on the importance of those files and how well they have been backed up. On the other hand, being unknowingly infected with Fareit/Zeus can lead to the theft of your sensitive credentials-- which leads to further data theft, credit fraud and even identity theft.  Of course comparing the two can seem a little like comparing a punch-in-the-stomach to a finger-in-the-eye… in other words, they both leave you feeling violated but each in their own unique way. The best way to avoid being victimized by these attacks is to avoid being exposed to them in the first place. As usual, all of our SecureTide customers are currently protected from this threat.