Somebody has been busy these past two days... We have seen a massive spam surge with the same subjects and attachments in our spam traps.
The attachments usually have the following filenames.
![attachname (11k image)]()
The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers.
For the two samples coming from these spam, we've seen them connecting to these to send information:
networksecurityx.hopto.org
188.167.38.131
94.136.131.2
66.241.103.146
37.9.50.200
In addition to stealing data, these samples download other malware including Zeus P2P from:
ip-97-*.net/zA6.exe
119*4/fF3krry.exe
rot*.com/124Tzh.exe
ww*ng.net/bpuMp.exe
dev*.com/1mHifVu.exe
surfa*.com/DJm.exe
kl*.com/Q4EzT.exe
Other malware seen installed in the system was Cryptolocker.
Apparently, spam overdose results in malware overdose.
Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants.
The attachments usually have the following filenames.
The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers.
For the two samples coming from these spam, we've seen them connecting to these to send information:
networksecurityx.hopto.org
188.167.38.131
94.136.131.2
66.241.103.146
37.9.50.200
In addition to stealing data, these samples download other malware including Zeus P2P from:
ip-97-*.net/zA6.exe
119*4/fF3krry.exe
rot*.com/124Tzh.exe
ww*ng.net/bpuMp.exe
dev*.com/1mHifVu.exe
surfa*.com/DJm.exe
kl*.com/Q4EzT.exe
Other malware seen installed in the system was Cryptolocker.
Apparently, spam overdose results in malware overdose.
Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants.
On 09/01/14 At 01:15 PM