Last month, researchers at Trend Micro observed an information stealer trojan, known as Fareit, being used to spread ransomware known as Cribit. On Friday, the Dell Sonicwall Threats Research Team observed a Fareit variant spreading even more malware.
The attackers appear to be targeting people in the UK, according to a post, which explains how the malware spreads in phishing emails claiming to be order confirmations from UK-based Maurice Lay. An invoice attached to the email, which appears as a PDF file, is actually the Fareit trojan.
Double clicking on the malicious executable will result in the trojan spreading other malware, including the Necurs and Zbot trojans, as well as CryptoLocker ransomware, according to the post. Code is also injected into Firefox, which causes scanning of files for FTP server credentials.