Not that new, but still noteworthy the spammers seem to be abusing WelssFargo (an American bank) as trusted sender. This is simple mail spoofing.
|Mail from "Georgina Franks"|
Some example senders (where it seems to come from):
As far as I could find, these email addresses do not even exist.
The mail itself is actually coming from the Pushdo botnet. Example IPs:
18.104.22.168 - IPVoid Result
22.214.171.124 - IPVoid Result
All the links in the mail are legit, this to convince you that the attachment will be legit as well. When opening the ZIP file (which is named WellsFargo.yourmailprefix) , you're presented with a what-looks-like a PDF file, but is in fact an EXE file:
This malware is known as Fareit (or Tepfer). According to Microsoft:
Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.
When executing the file it looks for quite a lot of data to steal, as well to phone home to update its configuration files and download additional malware (Zeus).Below you can find an image on the data (information) it tries to steal:
|List of programs it tries to extract username/password from|
So besides all this, it additionally downloads Zeus (the payload), which tries to steal banking credentials and others... If you'd think Fareit is enough, guess again! There's a good image made by the FBI how the Zeus 'scheme' or malware works:
|Cyber Theft Ring details|
The downloaded Zeus files are all having a very low detection rate on VirusTotal. Hint:
check out the VirusTotal report from the sample above and click on the tab "Behavioural Information". Note the links are live!
- Don't open any attachment(s) of unknown senders. In fact, don't even open mail from unknown senders.
- Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
- Don't be fooled by the fancy icons, they are actually EXE
files. You can enable an option in Windows so you're always sure of the
filetype being used:
Enable Viewing of Filename Extensions for Known File Types
- Install an antivirus and antimalware product and keep it up-to-date & running.
- If you're in an organisation, you might want to block the following IPs (quite a long list):