The Fareit trojan is using an uncommon file type as a disguise as it is spread via phishing and other spam mail campaigns.
Fareit has been around for a little while now, and we all know that Locky ransomware and other malicious programs hide within .zip, .js, and other file types to trick unsuspecting users into opening them.
But the Fareit trojan is doing something a bit different in this campaign:
See that Payment_Advice.mht attachment at the bottom of the scam email? Like in most spam campaigns, the attachment’s disguised as a document having something to do with payment. But unlike other malware campaigns, it’s using the .mht file type.
Researchers at Cisco Talos explain what that is:
“MHT files, also referred to as .mhtml files, are MIME HTML files. These files are commonly created when trying to save a document or other content as a web page. MHT files can be created using various types of applications including web browsers and word processors. In this case we found a small spam campaign purporting as a billing payment document from HSBC.”
It wasn’t easy linking the fake attachment to Fareit. Looking at the .mht file, the researchers found two things: a link to a .hta file and an inexplicable reference to the musical group Deftones.
The team experienced some difficulty in analyzing the .hta file, for someone had cleaned up the compromised website and taken down the file. But that didn’t stop the researchers:
“Talos was placed in a situation where there was a threat that was once active but had been cleaned up. This is a common problem and provides an opportunity to demonstrate how data and threat intelligence can be used to find the missing links and rebuild the infection chain. In this particular case we had URL pointing to an hta file that no longer existed. We were able to find instances of the file being blocked from being downloaded. Normally that would not be particularly interesting, but in this case we were able to find a file hash (a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1). We then started searching through various data sources for the file in question and found it in multiple locations including VirusTotal.”
Even then, they weren’t in the clear just yet. An analysis of the file uncovered a vbscript that pointed to an even more elusive file. Using the same techniques, they searched the file based upon its URL path and name to arrive at a hash. It was then that the researchers finally linked the spam campaign to Fareit.
Clearly, attackers are willing to go to extreme lengths to avoid raising a red flag among users and security researchers. Sometimes that involves using a file type that people don’t ordinarily come across.
But that works both ways. Just as malicious programs don’t often disguise themselves as .mht files, ordinary users rarely if ever receive a file of the same format attached to one of their emails.
Computer users should therefore follow the advice that’s paradoxically set forth in Fareit’s spam email: they should never open emails sent from suspicious sources, especially those that contain unusual file types.