Rajas Save

Malspam Delivers Fareit Info-Stealer October-2017

Blog Post created by Rajas Save Employee on Oct 23, 2017

On October 19th 2017, an unknown malspam campaign delivered a malicious RTF document, “Inquiry_list.doc”, which attempts to exploit Microsoft Office/WordPad via a Remote Code Execution (RCE) vulnerability in the Windows API, CVE-2017-0199.  



After opening the document via a vulnerable Microsoft Word application, a connection is established to “wizkiddz[.]xyz” to download a malicious DOT file, "dotenq.dot", which kicks off the following network events.


This DOT file contains obfuscated code, which downloads a malicious HTA, “htaenq.hta”, from same domain.


This HTA file then uses Base64 obfuscated code to spawn powershell and create a shell object in order to download the final payload, “enq.exe”, and then close the browser window automatically.


This final payload, “enq.exe”, is a Fareit Trojan, a commodity malware info-stealer often seen with Zeus/ZBOT campaigns.


Current RSA NetWitness detection populates following meta for the download sessions:


Once the download is complete, the binary is executed and post-infection traffic started.


Current RSA NetWitness detection populates following meta for Post Infection traffic:


Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.