Fareit Trojan drops multiple malware families (April 18, 2014)
The Dell Sonicwall Threats Research team has discovered a variant of the Fareit info stealer Trojan that also drops malware from many different families. The malware appears to be aimed at UK users and spreads via email messages containing the malware attachment. The malware that is dropped can vary between runs. We have observed families such as the Necurs rootkit, Zbot and even Cryptolocker being dropped on the system.
Infection Cycle:
The email contains a zip and html attachment. The html attachment contains the following false information:
The Trojan uses the following icon to masquerade as a harmless PDF file:
The Trojan makes the following DNS queries:
www.kingperu.comwww.kadirzerey.comwww.interiorgallery.inwww.freemao.comwww.florerialasfrecias.comwww.filmatelier.atwww.australia-citizenshiptest.comwallpaper.at.uavisionstudio.ucoz.comvirus-tahk.ucoz.ruwww.xxx18.ucoz.comliga.moy.sumultimarge.phmurbil.hostei.commybinar.my1.rukingperu.comThe Trojan adds the following files to the filesystem:
- %USERPROFILE%Local SettingsTempAGF8BF7.bat
- %USERPROFILE%Local SettingsTempGGKD92B.bat
- %USERPROFILE%Local SettingsTempIHK1550.bat
- %USERPROFILE%Local SettingsTempQLK2113.bat
- %USERPROFILE%Local SettingsTempQSC684E.bat
- %USERPROFILE%Local SettingsTempUWS7AA7.bat
- %USERPROFILE%Local SettingsTempSmfcrnejnyattfrpdr.exe [Detected as GAV: Blocker.EKIY (Trojan)]
- %USERPROFILE%Local SettingsTemp195671.exe [Detected as GAV: Zbot.GOV (Trojan)]
- %USERPROFILE%Local SettingsTempJeitpyjyyk.exe [Detected as GAV: Zbot.GOV (Trojan)]
- %SYSTEM32%driversac170656677d7ac.sys (rootkit) [Detected as GAV: Necurs.BDE (Trojan)]
The Trojan adds the following keys to the Windows registry to enable startup after reboot:
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A4B7�000 Service “2a4b7”
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A4B7�000 DeviceDesc “pyjyyk.exe”
- HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareMicrosoftWindowsCurrentVersionRun Pyjyyk “”%USERPROFILE%Local SettingsTempJeitpyjyyk.exe””
The .bat files contain the following script to clean up traces of the infection:
@echo off:xoyjpusydel /F /Q /A RSHAIL "%USERPROFILE%Local SettingsTemp195671.exe" >nulif exist "%USERPROFILE%Local SettingsTemp195671.exe" goto xoyjpusyac170656677d7ac.sys is a known rootkit that serves to make the malware files hard to delete. It also prevents the victim from terminating the malware process.
The Trojan downloads file.ecr, renames it to pyjyyk.exe and runs it:
Smfcrnejnyattfrpdr.exe uses the following icon and was observed scanning for samba shares on the network:
The Trojan injects code into firefox.exe (if installed) and causes it to scan files for FTP server credentials. Below is a sample of the files and directories being scanned:
%USERPROFILE%Application Datadesktop.ini%USERPROFILE%Local SettingsApplication DataMozillaFirefoxProfiles%USERPROFILE%Application Dataeqqi.udo.dat%USERPROFILE%Local SettingsApplication DataFlashFXP3Sites.dat%USERPROFILE%Application DataGlobalSCAPECuteFTPsm.dat%USERPROFILE%Application DataGlobalSCAPECuteFTP Prosm.dat%USERPROFILE%Application DataGlobalSCAPECuteFTP Litesm.dat%USERPROFILE%Local SettingsApplication DataFileZillafilezilla.xml%USERPROFILE%Local SettingsApplication DataCuteFTPsm.datSonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Fareit.A_136 (Trojan)
- GAV: Blocker.EKIY (Trojan)
- GAV: Zbot.GOV (Trojan)
- GAV: Necurs.BDE (Trojan)
