Bartallex special delivery: Fareit and Vawtrak

Earlier this year we witnessed several enterprises being targeted by Bartallex in spam emails. Bartallex uses Microsoft Word documents and social engineering techniques to trick enterprise users into opening and executing the embedded macro code in the document. When enabled, the macro code downloads and executes banking malware Dridex, a password-stealing Trojan that targets banks and other financial institution.

A few days ago, I received a new spam email as shown in the figure below:

Bartallex malware analysis

Just by looking at the email body, I can see that something is wrong with the email. I opened the email and downloaded the attachment price_list.doc (detected by CYREN as W97M/Bartallex) to investigate further. I tried to open the document in a controlled and monitored environment and I was asked to enable a macro. With this I concluded that there’s more to the document than meets the eye. The following are the macro codes in the document:

Barallex malware analysis

I tried to view the code but unfortunately the macros are password protected. But that didn’t stop me from viewing the actual macro code. With the help of tools I was able to unmask the macro codes. As seen in the code, it connects to the following URL to download and execute another malware:

Barallex malware analysis

The macro malware downloads the following files:

  • hxxp://ss<removed>.co/wp-content/uploads/cache/remote/www-abc-net-au/5716367236.txt
  • hxxp://ss<removed>.co/wp-content/uploads/cache/remote/www-abc-net-au/pipi.txt

The downloaded text files aren’t ordinary text files. The downloaded 5716367236.txt file contains another script code that uses Windows Scripting Host to download and execute the file pointed by the link found inside the downloaded pipi.txt file as shown below:

Barallex malware analysis

Barallex malware analysis

The downloaded file pointed by pipi.txt is detected by CYREN as W32/Fareit.JG, a password-stealing Trojan that steals login credentials for several FTP clients, email accounts, web browsers and Remote Destktop, as well as bitcoin accounts. This Trojan connects and sends stolen information to the following C&C servers:

  • hxxp://rin<removed>tred.ru/gate.php
  • hxxp://was<removed>hefa.ru/gate.php
  • hxxp://ker<removed>led.ru/gate.php

Below is a snapshot of the code of connecting to one of its C&C servers:

Barallex malware analysis

W32/Fareit.JG also downloads and installs another malware detected by CYREN as W32/Vawtrak.O (yet another password-stealing Trojan) from the following URLs:

  • hxxp://world<removed>supply.com/system/logs/k1.exe
  • hxxp://erro<removed>ds.cz/system/logs/k1.exe
  • hxxp://bloom<removed>s4u.com/system/logs/k1.exe

Below is also a snapshot of its download routine: 

Barallex malware analysis

Password Stealing Routines

FTP Accounts:

Barallex malware analysis

BitCoin Wallets:

Barallex malware analysis

Browser Accounts:

Barallex malware analysis

Email Accounts:

Barallex malware analysis

In general the infection chain of the above malware samples relies on social engineering. This can be prevented by always observing the best practices in dealing with emails and documents. Stay vigilant and alert when dealing with spam and make sure that macro security settings are enabled to prevent macro-based malware from doing harm to your systems.