Tuesday, June 11, 2013

WellsFargo spam serving infostealing malware

Not that new, but still noteworthy the spammers seem to be abusing WelssFargo (an American bank) as trusted sender. This is simple mail spoofing.

Mail from "Georgina Franks"

Some example senders (where it seems to come from):

As far as I could find, these email addresses do not even exist.

The mail itself is actually coming from the Pushdo botnet. Example IPs: - IPVoid Result - IPVoid Result

All the links in the mail are legit, this to convince you that the attachment will be legit as well. When opening the ZIP file (which is named WellsFargo.yourmailprefix) , you're presented with a what-looks-like a PDF file, but is in fact an EXE file:

MD5: 47e739106c24fbf52ed3b8fd01dc3668
VirusTotal Report
Anubis Report
Malwr Report

This malware is known as Fareit (or Tepfer). According to Microsoft:
 Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.

When executing the file it looks for quite a lot of data to steal, as well to phone home to update its configuration files and download additional malware (Zeus).Below you can find an image on the data (information) it tries to steal:

List of programs it tries to extract username/password from

So besides all this, it additionally downloads Zeus (the payload), which tries to steal banking credentials and others... If you'd think Fareit is enough, guess again! There's a good image made by the FBI how the Zeus 'scheme' or malware works:

Cyber Theft Ring details

The downloaded Zeus files are all having a very low detection rate on VirusTotal. Hint:
check out the VirusTotal report from the sample above and click on the tab "Behavioural Information". Note the links are live!

  • Don't open any attachment(s) of unknown senders. In fact, don't even open mail from unknown senders.
  • Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
  • Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
    Enable Viewing of Filename Extensions for Known File Types
  • Install an antivirus and antimalware product and keep it up-to-date & running.
  • If you're in an organisation, you might want to block the following IPs (quite a long list):
Note that these are IPs the malware communicates to. In most cases, they are harmful, but keep in mind some IPs might be legit, as the malware authors want to test for connectivity by connecting to Google for example. So, if you plan to block on IP, be sure to cross-check on IPvoid or DomainTools.

Stay safe.


  1. is owned by microsoft and handles system clock sync, might want to remove that one :)

    1. Thanks for your comment! I've removed said IP.

      FYI, I didn't check any of the IPs, hence the note at the end ;-)