Spam Overdose Yields Fareit, Zeus and Cryptolocker

Somebody has been busy these past two days… We have seen a massive spam surge with the same subjects and attachments in our spam traps.

emails (40k image)

emailstats (28k image)

The attachments usually have the following filenames.

attachname (11k image)

The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers.

For the two samples coming from these spam, we’ve seen them connecting to these to send information:
• networksecurityx.hopto.org
• 188.167.38.131
• 94.136.131.2
• 66.241.103.146
• 37.9.50.200

In addition to stealing data, these samples download other malware including Zeus P2P from:
• ip-97-*.net/zA6.exe
• 119*4/fF3krry.exe
• rot*.com/124Tzh.exe
• ww*ng.net/bpuMp.exe
• dev*.com/1mHifVu.exe
• surfa*.com/DJm.exe
• kl*.com/Q4EzT.exe

Other malware seen installed in the system was Cryptolocker.

btc (182k image)

Apparently, spam overdose results in malware overdose.

Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants.

On 09/01/14 At 01:15 PM

Read more: Spam Overdose Yields Fareit, Zeus and Cryptolocker

Incoming search terms

Story added 10. January 2014, content source with full text you can find at link above.