NEWS FROM THE LAB - Thursday, January 9, 2014

Spam Overdose Yields Fareit, Zeus and Cryptolocker Posted by Karmina @ 13:15 GMT

Somebody has been busy these past two days... We have seen a massive spam surge with the same subjects and attachments in our spam traps.

emails (40k image)

emailstats (28k image)

The attachments usually have the following filenames.

attachname (11k image)

The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers.

For the two samples coming from these spam, we've seen them connecting to these to send information:
� networksecurityx.hopto.org

In addition to stealing data, these samples download other malware including Zeus P2P from:
� ip-97-*.net/zA6.exe
� 119*4/fF3krry.exe
� rot*.com/124Tzh.exe
� ww*ng.net/bpuMp.exe
� dev*.com/1mHifVu.exe
� surfa*.com/DJm.exe
� kl*.com/Q4EzT.exe

Other malware seen installed in the system was Cryptolocker.

Apparently, spam overdose results in malware overdose.

Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants.