Security experts at TrendMicro have discovered a new variant of the Fareit data stealer, also known as Pony Loader, that is being spread exploiting Windows PowerShell.
The source code for Pony Loader versions 1.9 and 2.0 was leaked in 2014 in the criminal underground allowing criminal gangs to improve it.
Threat actors are delivering the Fareit malware via spam emails with malicious attachments, victims receive a message with either a malicious .PDF file that exploits Windows PowerShell or a Word document that embeds malicious macro codes.
When victims receive a Word document, open it and enables macros, the embedded code drops and executes TSPY_FAREIT.
When victims receive and open the malicious PDF attachment, the PDF executes Windows PowerShell via its OpenAction event to perform download and execute the TSPY_FAREIT.
In both scenarios, the FAREIT is designed to steal user’s information, including login credentials and bitcoin-related details.
“More and more, we are seeing threats that abuse the PowerShell feature, such as FAREIT and PowerWare. The difference between the two is that PowerWare uses macros first and then runs PowerShell, where the parameters for the malicious code can be found. FAREIT’s malicious PDF, on the other hand, uses OpenAction event to directly run PowerShell with the parameters containing the malicious code.” states a blog post published by TrendMicro.
This technique implemented by FAREIT is very efficient because macros are disabled by default and the attacker needs to trick victims into enabling them before the malware can be dropped and executed.
The attack is particularly effective against organizations that make large use of PDF and documents embedding macros.
“As both PDFs and macros are used in most organizations and enterprises, employees are quite susceptible to fall for FAREIT. Users are advised to install security software that can detect spammed messages and malicious files related to this threat,” Trend Micro said.
(Security Affairs – FAREIT malware, cybercrime)