Rajas Save

Malspam Delivers Fareit Info-Stealer October-2017

Blog Post created by Rajas Save Employee on Oct 23, 2017

On October 19th 2017, an unknown malspam campaign delivered a malicious RTF document, “Inquiry_list.doc”, which attempts to exploit Microsoft Office/WordPad via a Remote Code Execution (RCE) vulnerability in the Windows API, CVE-2017-0199.  

 

 

After opening the document via a vulnerable Microsoft Word application, a connection is established to “wizkiddz[.]xyz” to download a malicious DOT file, "dotenq.dot", which kicks off the following network events.

 

This DOT file contains obfuscated code, which downloads a malicious HTA, “htaenq.hta”, from same domain.

 

This HTA file then uses Base64 obfuscated code to spawn powershell and create a shell object in order to download the final payload, “enq.exe”, and then close the browser window automatically.


 

This final payload, “enq.exe”, is a Fareit Trojan, a commodity malware info-stealer often seen with Zeus/ZBOT campaigns.

 

Current RSA NetWitness detection populates following meta for the download sessions:

 

Once the download is complete, the binary is executed and post-infection traffic started.

 

Current RSA NetWitness detection populates following meta for Post Infection traffic:

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

Outcomes