We found 3 domains that link to same IP: Stolen data is sent to the IP 144.76.120.243 that belongs server hosted in Germany. Prepared log in information and encoded to custom base64 algorithm:Īnd finally send to attackers via WS2_32.send API: Stolen log in information is converted into the prepared encoded through custom base64 algorithm and sent to the attacker's server. Here is a communication when the FTP client (v3.7.3) is sending log in information: Malware doesn't search bookmarks or send any other files or saved connections. Log in details are sent to attackers from the ongoing FTP connection only once. The whole operation is very quick and quiet. The algorithm is part of a malformed FileZilla.exe binary, therefore sending stolen log in details which bypasses the firewall.
FILEZILLA FTP CLIENT MALWARE CODE
Malware authors abuse open source code and add their own stealer function to the main code. We found a hardcoded connection detail stealer after deeper analysis.
FILEZILLA FTP CLIENT MALWARE UPDATE
Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries. The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in "About FileZilla" window indicates the use of older SQLite/GnuTLS versions. The installed malware FTP client looks like the official version and it is fully functional! You can't find any suspicious behavior, entries in the system registry, communication or changes in application GUI. All other elements like texts, buttons, icons and images are the same. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. Malware installer GUI is almost identical to the official version. As you can see, the installer is mostly hosted on hacked websites with fake content (for example texts and user comments are represented by images.) The first suspicious signs are bogus download URLs. We have noticed an increased presence of these malware versions of famous open source FTP clients. Malformed FileZilla FTP client with login stealerīeware of malformed FileZilla FTP client versions 3.7.3 and 3.5.3.
0 kommentar(er)
