Malware Review

This article introduces two major malware families, Zeus and Fareit. Zeus is a banking trojan
that steals online financial credentials through techniques such as keylogging and form
grabbing. Fareit is a credential-stealing trojan that collects passwords, usernames, and wallet
data, often delivering other malware as well. The study outlines their impacts on target systems
and highlights key traffic patterns, providing insight into how these threats can be identified
through network analysis.

Zeus

Zeus, also known as Zbot, Wsnpoem, Kneber botnet.

Impacts

Zeus is a banking trojan designed to steal online banking credentials, credit card data, and
login information by keylogging and man-in-the-browser attacks [1]. It can also download
additional malware, spread via phishing emails, and build botnets for cybercrime campaigns.

Detection Patterns

Indicators include unusual encrypted HTTP traffic to command-and-control (C2) servers,
domain-generation algorithm (DGA) domains, suspicious form-grabbing behaviour in web
traffic, and registry changes to maintain persistence. Network captures often show repeated
POST requests with encoded payloads.

  • Repeated POST requests: Frequent small POST packets sent to the same IP/domain,
    possibly containing encrypted credentials.
  • Abnormal User-Agent: For example, uncommon browser identifiers or missing standard
    fields.
  • Plaintext credential leakage: HTTP POST requests containing values like
    username=xxx&password=xxx.
  • DGA domains: Domains consisting of random-looking strings, such as abdh12kq.xyz.

Fareit

Fareit, also called Pony or Pony Loader.

Impacts

Fareit is a credential-stealing trojan that harvests usernames, passwords, and cryptocurrency
wallet data from infected systems [2]. It is often used to install other malware, such as
ransomware or banking trojans. Attackers use it to exfiltrate data to remote C2 servers,
enabling identity theft and financial fraud.

Detection Patterns

Indicators include large volumes of outbound POST requests with encoded data, attempts to
connect to hardcoded C2 IPs/domains, and sudden access to browser-stored credentials or
Windows credential stores. In packet captures, Fareit traffic may stand out as frequent small
POST requests containing credential dumps.

Reference

[1] Wikipedia Contributors, “Zeus (malware),” Wikipedia, Nov. 07, 2019.
https://en.wikipedia.org/wiki/Zeus_(malware). Accessed July 7, 2025.
[2] REXor, “Pony | Fareit,” RexorVc0, 2024. https://rexorvc0.com/2024/02/04/Pony_Fareit/.
Accessed July 7, 2025.