FedEx Delivery Notices Dropping Zeus and Fareit Trojans

Written by

Not all FedEx deliveries contain packages that users expect.

Security researchers at AppRiver have observed an uptick in spam messages that appear to be shipping notifications from FedEx, but in fact contain Fareit malware, an information stealer that targets email passwords and browser-stored passwords, as well as FTP credentials.

During AppRiver’s analysis, the malware also downloaded a copy of the ever-popular Zeus Trojan onto the infected machine.

According to Troy Gill, manager of security research, the messages appear to contain a shipping receipt for a package that the courier was unable to deliver. The attached file, while it does have .PDF in the name, is actually a file archive utilizing the open source file archiver 7zip. Inside the compressed archive, you will find an executable file (.exe) that contains the Fareit malware.

“During our dynamic analysis, we observed all of the above being performed after the malware disabled local security tools,” he said, in a blog. “After scrapping the machine for the before mentioned credentials, it established an outbound connection and pulled down a copy of the ever-popular Zeus Trojan. Once the Zeus infection is in place, the attacker can gather more credentials such as banking information. In addition to having their data stolen, the victim’s machine is also vulnerable to being used to perpetuate more attacks or in future DDoS attacks.”

With ransomware attacks garnering all of the attention lately, it’s easy to forget that information stealing malware like this can be equally (or in many cases far more) damaging.

“The impact from suffering a ransomware attack and finding all of your files have been encrypted will depend greatly on the importance of those files and how well they have been backed up,” he said. “On the other hand, being unknowingly infected with Fareit/Zeus can lead to the theft of your sensitive credentials—which leads to further data theft, credit fraud and even identity theft.”

Express shipping spam has long been a favored lure for criminals bent on spreading malware through email. Anyone receiving a notice from FedEx, UPS or other services should be very wary.

Photo © Bojan Pavlukovic

What’s hot on Infosecurity Magazine?