Vicinity of obscurity! Fareit trojan spread via uncommon file type

Malicious attackers disguise their attacks via .mht file attachments

Vicinity of obscurity! Fareit trojan spreading via uncommon file type

The Fareit trojan is using an uncommon file type as a disguise as it is spread via phishing and other spam mail campaigns.

Fareit has been around for a little while now, and we all know that Locky ransomware and other malicious programs hide within .zip, .js, and other file types to trick unsuspecting users into opening them.

But the Fareit trojan is doing something a bit different in this campaign:

Malicious email

See that Payment_Advice.mht attachment at the bottom of the scam email? Like in most spam campaigns, the attachment's disguised as a document having something to do with payment. But unlike other malware campaigns, it's using the .mht file type.

Researchers at Cisco Talos explain what that is:

"MHT files, also referred to as .mhtml files, are MIME HTML files. These files are commonly created when trying to save a document or other content as a web page. MHT files can be created using various types of applications including web browsers and word processors. In this case we found a small spam campaign purporting as a billing payment document from HSBC."

It wasn't easy linking the fake attachment to Fareit. Looking at the .mht file, the researchers found two things: a link to a .hta file and an inexplicable reference to the musical group Deftones.

Image06

Source: Cisco Talos

The team experienced some difficulty in analyzing the .hta file, for someone had cleaned up the compromised website and taken down the file. But that didn't stop the researchers:

"Talos was placed in a situation where there was a threat that was once active but had been cleaned up. This is a common problem and provides an opportunity to demonstrate how data and threat intelligence can be used to find the missing links and rebuild the infection chain. In this particular case we had URL pointing to an hta file that no longer existed. We were able to find instances of the file being blocked from being downloaded. Normally that would not be particularly interesting, but in this case we were able to find a file hash (a95a01472fdb42a123e1beb6332cb42c9372fdfe33066b94a7cabdac3d78efe1). We then started searching through various data sources for the file in question and found it in multiple locations including VirusTotal."

Even then, they weren't in the clear just yet. An analysis of the file uncovered a vbscript that pointed to an even more elusive file. Using the same techniques, they searched the file based upon its URL path and name to arrive at a hash. It was then that the researchers finally linked the spam campaign to Fareit.

Clearly, attackers are willing to go to extreme lengths to avoid raising a red flag among users and security researchers. Sometimes that involves using a file type that people don't ordinarily come across.

But that works both ways. Just as malicious programs don't often disguise themselves as .mht files, ordinary users rarely if ever receive a file of the same format attached to one of their emails.

Computer users should therefore follow the advice that's paradoxically set forth in Fareit's spam email: they should never open emails sent from suspicious sources, especially those that contain unusual file types.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

4 Responses

  1. Simon

    November 24, 2016 at 11:03 am #

    Cunning, yet so simple to disguise malicious attachments within *.mht files.

    Double extension files, coupled with Windows masking extension types for known files can throw less-technical people off course.

    Curiously will also get in the way of 'best practice' when mail filters fail to protect. User education and awareness is key.

  2. Spam Sorenson

    November 24, 2016 at 4:26 pm #

    Well, another insidious problem.

    the old: "do not download or open files from unknown sources" should be expanded. Defining what is suspicious is a problem, an infected friend's email can contain such and would be trusted.

    I do not accept email from"Do not reply" or "No reply" email addresses, even from google.com.

    I figure if the sender isn't willing to let me communicate with them, then I am not willing to communicate from them. I realize many "Ethical" companies do this, I will simply not do business with a company who is not willing to stand behind their communication. Even Barack Obama approved his messages, as do most candidates.

    I even must identify myself to post this message. I'm Spam Sorenson and I approve this message.

    • coyote in reply to Spam Sorenson.

      November 25, 2016 at 11:39 pm #

      'the old: "do not download or open files from unknown sources" should be expanded. Defining what is suspicious is a problem, an infected friend's email can contain such and would be trusted.'

      Yes. I've said this for years and will continue to say this. What if they are ignorant? What if they think it's just a prank or otherwise harmless fun? Poor judgement happens. But even if you requested the file what if they were ignorant there too? In the end every file you're sent (or you yourself find[1]) should be considered unsafe until proven otherwise (some files are inherently safe but unfortunately some companies I won't name like to change how files might be interpreted and therefore make what should be safe unsafe). There is another issue though: how far do you go when explaining this? There are many levels and each one only adds confusion which makes it more complicated and inconvenient and therefore potentially harmful in the end.

      [1] Whether Windows system files count as 'safe' here is up to debate, I suppose, but I of course refer to files you download.

      • jussdave in reply to coyote.

        November 29, 2016 at 5:49 am #

        I used to use the 'inspect website' option when surfing thru responses & emails I think by either leftclicking or using the settings-security button in the upper right corner to look for a pcks key, then a follow up 'security key ok' key before viewing the email myself. Don't know now if that still works, as it was within the win98se os at the time…..

Leave a Reply