Malformed FileZilla FTP client steals login credentials
Couple of days ago Avast reported about malformed FileZilla FTP client. Malware installer GUI and installed malware FTP client is almost identical to the official version, and fully functional.
Primary mission of this malware is stealing your login information and sending it to attackers.
According to Avast, malware versions of famous open source FTP clients on increase. (Versions 3.7.3 and 3.5.3)
You can find identifying / protection info and technical details below.
How to identify and protect
First detail to identify this malware is downloading url. Malware installer is mostly hosted on hacked websites with fake content (for example texts and user comments are represented by images.)
Also the difference between malware installer and official Filezilla installer is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other parts of both installers (texts,buttons etc) are identical.
Other detail to identify this malware is smaller filesize of filezilla.exe (~6,8 MB). Also 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll being installed with fake installer which not included in the official version. And information in “About FileZilla” window showing use of older SQLite/GnuTLS versions.
Another suspicious sign is update function, which is not working in fake version for protecting malware binary.
Best way of protecting is using up-to-date antivirus software and download any software from official, well-known or trusted sources.
Deeper analysis on malware shows that malware authors add their steal code to original open source code.
Log in details sent to hackers using ongoing FTP connection only once. Stolen log in information is converted into the following format:
then encoded through custom base64 algorithm and sent to the attacker’s server. Here is communication details while fake FTP client (v3.7.3) sending log in information:
Login info is sent to the IP 22.214.171.124, which resolves as follows;
Additional hash information:
Malicious Installer v3.5.3:
Malicious FileZilla.exe v3.5.3
Malicious Installer v3.7.3
Malicious FileZilla.exe v3.7.3
3,907 total views, 3 views today