Recently Avast found the malformed FileZilla FTP client versions 3.7.3 and 3.5.3, these malware versions of famous open source FTP clients.
Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode.
The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.
The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions.
Avast found a hardcoded connection detail stealer after deeper analysis. Malware authors abuse open source code and add their own stealer function to the main code.
The algorithm is part of a malformed FileZilla.exe binary, therefore sending stolen log in details which bypasses the firewall. The whole operation is very quick and quiet.
Log in details are sent to attackers from the ongoing FTP connection only once. Malware doesn’t search bookmarks or send any other files or saved connections.
Below is the communication when the FTP client (v3.7.3) is sending log in information
The stolen data is sent to the IP 144.76.120.243 that belongs server hosted in Germany.
They are found 3 domains that link to same IP:
Malware authors use very powerful and inconspicuous method to steal FTP log in credentials in this case. As you can see, malware version 3.5.3 was compiled in September 2012 and it’s almost without detection nowadays.
How to protect yourself
I strongly recommend to download any software only from official, well-known or trusted sources. Avoid strange looking websites and portals offering software via their own downloaders or installers containing bundled adware and PUP applications.
Malicious Installer v3.5.3:
SHA256: 595D954C7CE574337C97A0801E779BC3DCA94FC92AFAE8F483DCDD1A053C5C24
Malicious FileZilla.exe v3.5.3
SHA256: 525E9ED135C1435772A774D7AD7168CECCD225E354118E621482DB61174F6734
Malicious Installer v3.7.3
SHA256: B9A12F9B6827144D84E65EF2BA454D77CB423C5E136F44BC8D3163D93B97F11F
Malicious FileZilla.exe v3.7.3
SHA256: 2451599C03B136C1848F538184F0F266973B65AFC8DD25F272A7E6B0555B657A
Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode.
The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.
The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions.
Avast found a hardcoded connection detail stealer after deeper analysis. Malware authors abuse open source code and add their own stealer function to the main code.
The algorithm is part of a malformed FileZilla.exe binary, therefore sending stolen log in details which bypasses the firewall. The whole operation is very quick and quiet.
Log in details are sent to attackers from the ongoing FTP connection only once. Malware doesn’t search bookmarks or send any other files or saved connections.
Below is the communication when the FTP client (v3.7.3) is sending log in information
The stolen data is sent to the IP 144.76.120.243 that belongs server hosted in Germany.
They are found 3 domains that link to same IP:
| go-upload.ru | created 2012.09.23 |
| aliserv2013.ru | created 2013.09.09 |
| ngusto-uro.ru | created 2013.09.19 |
The domains are registered through the infamous Russian domain registrar Naunet.ru, which is associated with malware and spam activities. This registrar hides client contact info and ignores requests to suspend illegal domains.
Malware authors use very powerful and inconspicuous method to steal FTP log in credentials in this case. As you can see, malware version 3.5.3 was compiled in September 2012 and it’s almost without detection nowadays.
How to protect yourself
I strongly recommend to download any software only from official, well-known or trusted sources. Avoid strange looking websites and portals offering software via their own downloaders or installers containing bundled adware and PUP applications.
Malicious Installer v3.5.3:
SHA256: 595D954C7CE574337C97A0801E779BC3DCA94FC92AFAE8F483DCDD1A053C5C24
Malicious FileZilla.exe v3.5.3
SHA256: 525E9ED135C1435772A774D7AD7168CECCD225E354118E621482DB61174F6734
Malicious Installer v3.7.3
SHA256: B9A12F9B6827144D84E65EF2BA454D77CB423C5E136F44BC8D3163D93B97F11F
Malicious FileZilla.exe v3.7.3
SHA256: 2451599C03B136C1848F538184F0F266973B65AFC8DD25F272A7E6B0555B657A
No comments:
Post a Comment