“Wanted to share a head’s up re: a new attack we just stopped on multiple customer devices. Turns out it was a new variant of the credential stealing malware “Fareit”.
Multiple users at this customer were sent phishing emails with a malicious executable disguised as a PDF labeled “Request for Quotation” (good reminder to configure user settings to show file extensions by default). Once opened, it launched a new variant of Fareit, a credential stealer designed to scrape the victims’ machines for sign-in information for emails accounts, domains, banking services, auth cookies, ftp servers, Bitcoin accounts, etc. — anything of value to ship it off to the attacker.
The malware was able to bypass the users’ defenses, including network-connected antivirus, by injecting itself into legitimate processes on the system. It also conducted checks to confirm it wasn’t running in a virtual machine environment or a sandbox.”
Author: Jonathan Barkly