Somebody has been busy these past two days... We have seen a massive spam surge with the same subjects and attachments in our spam traps.
The attachments usually have the following filenames.
The binary attachment is a threat that is often referred to as Fareit. Fareit is known to steal information such as credentials and account information from installed FTP clients and cryptocurrency wallets, and stored passwords in browsers.
For the two samples coming from these spam, we've seen them connecting to these to send information: • networksecurityx.hopto.org • 188.8.131.52 • 184.108.40.206 • 220.127.116.11 • 18.104.22.168
In addition to stealing data, these samples download other malware including Zeus P2P from: • ip-97-*.net/zA6.exe • 119*4/fF3krry.exe • rot*.com/124Tzh.exe • ww*ng.net/bpuMp.exe • dev*.com/1mHifVu.exe • surfa*.com/DJm.exe • kl*.com/Q4EzT.exe
Other malware seen installed in the system was Cryptolocker.
Apparently, spam overdose results in malware overdose.
Samples are detected as Trojan.Pws.Tepfer and Trojan.GenericKD variants.