- With the spotlight on ransomware, new malware campaigns are quietly stealing victim credentials.
- Case in point: We’ve spotted a targeted attack using a new variant of the credential stealing malware Fareit in multiple phishing emails and disguised PDFs.
- This particular package evades detection by checking for the presence of security tools, sandboxes, and VMs before running.
- In addition to stealing credentials, Fareit scrapes info from the victim’s cookies and browser history and sends it back to attackers for sale or exploitation.
- Barkly stopped this malware on multiple user systems before it had a chance to do any damage, even though it was a new variant we hadn’t seen in the wild.
- With information on the attack and the payload, the would-be victim was able to send out a company-wide warning while monitoring its systems for additional signs of potential compromise.
Targeted phishing attacks delivering a new Fareit credential stealer variant that bypasses AV
Late last week, we informed one of our customers they were under a targeted attack. Multiple users had been sent phishing emails with a malicious executable disguised as a PDF. Once opened, it launched a new variant of Fareit, a credential stealer designed to scrape the victims’ machines for sign-in information for emails accounts, domains, banking services, auth cookies, ftp servers, Bitcoin, and anything of value to ship it off to the attacker.
The malware was able to bypass the users’ defenses, including network-connected antivirus, by injecting itself into legitimate processes on the system. It also conducted checks to confirm it wasn’t running in a virtual machine environment or a sandbox.
Using behavioral analytics, Barkly was able to stop the attack at runtime, before it could steal any of the victim’s information or do any damage. Then, thanks to the alert Barkly automatically generated, the IT team was able to assess the right way to notify the rest of the company before additional employees were infected.
The silent threat of credential stealers
Ransomware may be grabbing all the headlines, but a resurgence of credential stealers are grabbing the keys to the kingdom.
Recently, we’ve seen an influx of high-profile credential stealers including Kovter and Dridex making the rounds. Unlike ransomware, credential stealers often run in the background and steal information without giving the user any indication they have been victimized. Attackers can then choose to immediately exploit the credentials in an attempt to land and expand to other resources and systems in the victim’s network, or bundle them up and sell them in the black market for further exploitation.
Fareit enumerating sensitive directories attempting to steal credentials
Each account has value in different contexts. For example, e-mail accounts can be leveraged for spamming, FTP accounts can be leveraged to store payloads for future campaigns, Bitcoins and banking services can be used to steal or launder money through.
Why early alerts matter
It’s easy to see how quickly targeted credential stealing attacks can snowball if they initially go undetected. The credentials harvested can immediately be used to access critical resources and systems like internal databases, email servers, network hardware, etc. — all without drawing attention to the fact they’ve been compromised.
In this case, Barkly was able to prevent that from happening and alert the customer they were under a targeted attack. Not only did the early alert allow IT to send out a company-wide warning about the phishing message, it also prompted them to look at their systems for signs of earlier corruption and take additional precautions by restricting traffic, blocking the sending organization, monitoring for botnet traffic, etc.
Steps to prevent getting infected
If 2016 was the year of ransomware and quick, automated payoffs, the early indication is this year we’ll see more attackers using some of the same infection techniques to play a more stealthy, nuanced game in the hunt for bigger paydays.
By combining runtime malware defense on the endpoint with improved user awareness and better centralized reporting, IT teams can be much better equipped to recognize these attacks as they are happening instead of after it’s too late.
What you can do now:
- Notify your users to be on the lookout for suspicious emails with PDF attachments labeled "Request for Quotation".
- Configure user settings to show file extensions by default (in this attack, the PDF was actually a disguised .exe file)
Additional steps to prevent/limit the damage from attacks like this one:
- Train users how to spot phishing emails. Check out our Phishing Email Field Guide for examples of phishing emails you can share with them and tips for making training more effective.
- Exercise the principle of least privilege by limiting user access to the bare minimum.
- "User-proof" your endpoints. We've built Barkly to be the last line of defense that protects your organization even when a user makes a mistake and triggers an attack. In addition to immediately detecting malicious activity and blocking attacks that antivirus misses, Barkly also automatically alerts both you and the user so they can understand they dodged a bullet and need to be more careful next time. See how it works here.
Learn more about Barkly and see what attacks are getting past your AV by signing up for a free trial.
Feature image by Bash Linx