Malware Avoids AV Detection
Tuesday, October 6, 2015 @ 03:10 PM gHale
For most malware, the trick of getting in is to find a way around antivirus and that is exactly what appears to have happened with the Fareit malware.
Fareit, a Trojan specialized in breaching user computers, will talk to a command-and-control (C&C) server, and then download malware on their systems. The malware has been around since 2012. Over a period of time, Fareit morphed into a quality information stealer that specializes in extracting passwords from Web browsers.
As a part of getting in and fulfilling its mission, the malware uses a different file hash with every new infection, said researchers at Cisco’s Talos team.
This time around, the new version of this malware family that acts like a chameleon, changing its file hash with each infection, even if the file name remains the same, the researchers said.
The first samples ended up discovered in July this year, and the malware’s creators opted for this tactic to avoid hash- and signature-based detection methods.
“One possible reason for this might be, that the mechanism which they use to download additional malware files or modules (e.g. cclub02.exe), need fixed names or paths (like http://IP/cclub02.exe) and is not flexible enough to handle on-the-fly generated file names on a per victim/campaign base,” said Talos Group’s Earl Carter and Holger Unterbrink in their blog post. “This could also indicate a pay-per-infection botnet, but of course, this is speculation until we reverse engineer the local binaries and analyze the server command and control software.”
Cisco’s security products recorded 2,455 Fareit samples, but only 23 of them shared the same hash. Digging deeper into the data, they also noticed all these samples communicated with only 2 C&C servers, hosted at 18.104.22.168 and 22.214.171.124.
For most of the detected Fareit samples detection was low in VirusTotal, most of the binary files infected with the malware getting an average score of 4/56.
There was, though, one malware sample that got a score of 40/54, but that sample ended up detected at the start of March 2015.
The evidence points that this campaign is run by the same group, and despite the cyber-criminals’ effort to use different file hashes, Cisco’s team said a string match against the static file names could protect users from further infections.