Security Affairs
Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Fareit data stealer being delivered using Windows PowerShell

Researchers at Trend Micro have spotted a new strain of the Fareit malware being delivered to victims using Windows PowerShell. Security experts at TrendMicro have discovered a new variant of the Fareit data stealer, also known as Pony Loader, that is being spread exploiting Windows PowerShell. Fareit first appeared in the wild in since 2011 and last variant abuse the […]

Fareit data stealer being delivered using Windows PowerShell

Researchers at Trend Micro have spotted a new strain of the Fareit malware being delivered to victims using Windows PowerShell.

Security experts at TrendMicro have discovered a new variant of the Fareit data stealer, also known as Pony Loader, that is being spread exploiting Windows PowerShell.

Fareit first appeared in the wild in since 2011 and last variant abuse the Windows PowerShell like many other threats, including VawTrak, PowerWare, and TROJ_POSHCODER.

The source code for Pony Loader versions 1.9 and 2.0 was leaked in 2014 in the criminal underground allowing criminal gangs to improve it.

Threat actors are delivering the Fareit malware via spam emails with malicious attachments, victims receive a message with either a malicious .PDF file that exploits Windows PowerShell or a Word document that embeds malicious macro codes.

When victims receive a Word document, open it and enables macros, the embedded code drops and executes TSPY_FAREIT.

FAREIT

When victims receive and open the malicious PDF attachment, the PDF executes Windows PowerShell via its OpenAction event to perform download and execute the TSPY_FAREIT.

In both scenarios, the FAREIT is designed to steal user’s information, including login credentials and bitcoin-related details.

“More and more, we are seeing threats that abuse the PowerShell feature, such as FAREIT and PowerWare.  The difference between the two is that PowerWare uses macros first and then runs PowerShell, where the parameters for the malicious code can be found. FAREIT’s malicious PDF, on the other hand, uses OpenAction event to directly run PowerShell with the parameters containing the malicious code.” states a blog post published by TrendMicro.

This technique implemented by FAREIT is very efficient because macros are disabled by default and the attacker needs to trick victims into enabling them before the malware can be dropped and executed.

The attack is particularly effective against organizations that make large use of PDF and documents embedding macros.

“As both PDFs and macros are used in most organizations and enterprises, employees are quite susceptible to fall for FAREIT. Users are advised to install security software that can detect spammed messages and malicious files related to this threat,” Trend Micro said.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – FAREIT malware, cybercrime)