TrojanPWS.Fareit.gen is a password stealing Trojan that arrives in users inboxes as an attachment under a variety of names including ’Invoice_[random numbers].zip’. The email has a forged From: address appearing to come from a Payroll Office Manager.
The Trojan contains password stealing abilities and after execution it is coded to look to various websites to download additional malicious files.
The sites include: hxxp://216.246.30.181/cPzw2.exe hxxp://smartinfotech.ca/f3u2GD.exe hxxp://spireportal.net/L3ork1v.exe hxxp://elearning-softcase.com/V3qs.exe hxxp://chadgunderson.com/kxC.exe
It also attempts to reach the following locations:
Connects to "213.186.47.54 (ns30536.ovh.net)" on port 8080. Connects to "216.246.30.181 (ip181.immierst.com)" on port 80. Connects to "208.83.209.55 (208-83-209-55.mdswireless.com)" on port 80 Connects to "50.28.69.168" on port 80. Connects to "198.15.67.51 (amazonas.ecuahosting.net)" on port 80 Connects to "216.87.186.103" on port 80.
Please Note: Thirtyseven4 Antivirus is up-to-date against this threat and Thirtyseven4 has proactively blocked these targeted domains via our Browser Protection module.
Upon execution, it drops a polymorphic file at the following location: %Appdata%\[randome_folder]\[randomename].exe
Here is an example screenshot:
“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4
