W32/Fareit.A!tr.pws
Analysis
W32/Fareit.A!tr.pws is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Fareit.A!tr.pws may have varying behavior.
Below are examples of some of these behavior:
- It can be configured to use a URL to directly download malware to drop and execute on the victim's system or to inject into a certain process, such as the AppLaunch.exe or vbc.exe process in the .NET Runtime directory, or even its own running process, depending on how it is configured.
- It injects malware detected as W32/Agent.NTM!tr into one of the processes mentioned above. The injected malware then steals passwords from software such as CuteFTP and FileZilla.
- Users that are infected by this malware will perform DNS queries certain hardcoded domain names. These domain names may vary between variants. An observed domain includes the following:
- soulf{Removed}om.mx
- The malware automatically deletes itself after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |