Malware authors are getting increasingly creative in their attempts to bypass security controls and gain access to critical information by using tools such as password stealer malware to steal credentials and intercept web traffic. In this post, we build a Behavioral Profile of Password Stealer Malware Trojan.FTP.13809.A.

File Transfer Protocol (FTP) has long been a common mechanism through which IT professionals and other users exchange files. Free FTP clients are plentiful, and the majority of them offer rich feature sets. Two common features are of particular interest to hackers: the ability of an FTP client to remember FTP servers that a user has previously connected to, and the ability to configure and FTP client to use an FTP Proxy.

Why would an attacker need to steal the credentials to an FTP server? The first and most basic goal of such an attack would be to gain access to all the files located on the FTP server. A second layer of malicious activity may involve gaining access to a web site’s root directory via FTP and modifying existing dynamic (PHP, ASP, etc) Web pages to embed malicious code. By compromising a Web site an attacker could potentially gain the ability to infect the site’s visitors, all while masquerading as a legitimate site.

How, then, would an attacker benefit from modifying an FTP client’s configuration to point to a malicious FTP proxy server?  The benefits here are similar to those of stealing credentials. Intercepting the FTP traffic to and from a server and diverting it to a proxy server would allow an attacker to have access to the information in the files being uploaded and downloaded. This provides an easy mechanism through which an attacker may upload modified files to a web server.

These issues stem from a major flaw in the way most FTP clients store configuration details. Most such FTP clients store these details on the user’s local computer. This includes all servers to which the user has even attempted to connect. configuration files often store sensitive details such as user names and passwords in plain text. The same also holds true for details regarding FTP Proxy configuration.

Not long ago while on vacation I received a suspicious email with an attachment that looked dodgy. In the “from” line, the sender appears as Miguel Felix with email the address Miguel_Felix@citibank.com. Notice in the below screenshot the use of the citibank.com domain.

Windows 7 64-bit Email-2013-09-01-12-02-03

After unzipping the attachment I found a file which on a machine that has the option “Hide extensions for known file types” switched on (the default Windows configuration) looks like:

Windows 7 32bit (Honeypot) - Folio-2013-09-01-11-02-33

The file, Loan_08082013, looks like a PDF file, doesn’t it? But is it really a PDF file? The answer is no. With this approach, the attackers are trying to trick the user to click on the file.

Of course, savvy users who pay close attention to file extensions, and who have turned off the option “Hide extensions for known file types”, will notice that this file is in fact an executable that is masquerading as a PDF file.

Windows 7 32bit (Honeypot) - Folio-2013-09-01-11-57-21

A quick static code analysis shows that an FTP password stealer malware executable is in fact a packed EXE. Packing is often used by hackers to complicate the reverse engineering process and make static analysis very difficult. The packed executable imports a few Win32 APIs from kernel32.dll and four APIs from DBGHELP.dll:

Windows 7 32bit (Honeypot) - Folio-2013-09-01-11-02-35

This intrigued me, so I decided to run it on both 32-bit and 64-bit images through our Vinsula Execution Engine to find out just what it does.

After running the malware, our Vinsula Execution Engine captured all key aspects of the Trojan.FTP.13809.A malware behavior. The reporting component of Vinsula then created the process cascade view which allowed me to understand the conceptual execution model of this specific malware. It is very clear that the Trojan.FTP.13809.A targets stealing critical assets and sending them to the CnC server(s).

Here are the targeted companies and their FTP products. Notice that some of the products (like Comodo) are security products and Trojan.FTP.13809.A seems to be designed to modify their settings as well.

  • 3D-FTP
  • BatMail
  • BitKinex
  • BlazeFtp
  • Bromium
  • BulletProof Software – FTP Client
  • Chromium
  • CoffeeCup Software
  • Comodo
  • CuteFTP
  • ExpanDrive
  • FileZilla
  • FlashFXP
  • Frigate3
  • FTP Explorer
  • FTPInfo
  • FTPRush
  • GHISLER
  • GlobalSCAPE
  • Global Downloader
  • GPSoftware – Directory Opus
  • INSoftware NovaFTP
  • Ipswitch
  • LeapWare LeapFTP
  • MapleStudio ChromePlus
  • NetSarang
  • Nichrome
  • Notepad++
  • Pocomail
  • RockMelt
  • SiteDesigner
  • Sites
  • SmartFTP
  • The Bat!
  • TurboFTP
  • VanDyke
  • Visicom Media
  • Yandex

One example of a vulnerability that Trojan.FTP.13809.A exploits is the FileZilla’s method of keeping all host names, user names and passwords in clear text in one of its configuration files—recentservers.xml. From the log details at the bottom of the post, it is clear that Trojan.FTP.13809.A is looking for this file with the intention of obtaining login credentials and host names.

The CnC server with IP address 50.57.185.72 seems to be an infected Web server. According to ipligence.com, the CnC server is located in the USA.

Windows 7 32bit (Honeypot) - Folio-2013-09-01-13-02-33

The reverse lookup for IP address 50.57.185.72 resolves to www [dot] arki [dot] com. I would strongly recommend not visiting this site as it is very likely infected.

Windows 7 32bit (Honeypot) - Folio-2013-09-01-13-03-00

For the purpose of this post, I’ve extracted a small portion of the events captured by Vinsula Execution Engine that show only a few file and network events that prove the malicious intent of Trojan.FTP.13809.A.

===========================
=== File Events ===
===========================

Loan_08082013.exe [Process Id: 2792]
Event:Create File[C:\ProgramData\3D-FTP]
Event:Create File[C:\ProgramData\BatMail]
Event:Create File[C:\ProgramData\BlazeFtp]
Event:Create File[C:\ProgramData\Bromium]
Event:Create File[C:\ProgramData\ChromePlus]
Event:Create File[C:\ProgramData\Chromium]
Event:Create File[C:\ProgramData\Comodo]
Event:Create File[C:\ProgramData\FTPInfo]
Event:Create File[C:\ProgramData\Global Downloader]
Event:Create File[C:\ProgramData\Google\Chrome\]
Event:Create File[C:\ProgramData\INSoftware\NovaFTP\]
Event:Create File[C:\ProgramData\MapleStudio\ChromePlus\]
Event:Create File[C:\ProgramData\NetSarang]
Event:Create File[C:\ProgramData\Nichrome]
Event:Create File[C:\ProgramData\Notepad++]
Event:Create File[C:\ProgramData\Pocomail]
Event:Create File[C:\ProgramData\RockMelt]
Event:Create File[C:\ProgramData\SiteDesigner]
Event:Create File[C:\ProgramData\Sites]
Event:Create File[C:\ProgramData\The Bat!]
Event:Create File[C:\ProgramData\Visicom Media]
Event:Create File[C:\ProgramData\Yandex]
Event:Create File[C:\ProgramData\BitKinex]
Event:Create File[C:\ProgramData\BulletProof Software]
Event:Create File[C:\ProgramData\CoffeeCup Software\SharedSettings.ccs]
Event:Create File[C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite]
Event:Create File[C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs]
Event:Create File[C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite]
Event:Create File[C:\ProgramData\CuteFTP]
Event:Create File[C:\ProgramData\CuteFTP\sm.dat]
Event:Create File[C:\ProgramData\ExpanDrive\drives.js]
Event:Create File[C:\ProgramData\FileZilla\filezilla.xml]
Event:Create File[C:\ProgramData\FileZilla\recentservers.xml]
Event:Create File[C:\ProgramData\FileZilla\sitemanager.xml]
Event:Create File[C:\ProgramData\FlashFXP\3\History.dat]
Event:Create File[C:\ProgramData\FlashFXP\3\Quick.dat]
Event:Create File[C:\ProgramData\FlashFXP\3\Sites.dat]
Event:Create File[C:\ProgramData\FlashFXP\4\History.dat]
Event:Create File[C:\ProgramData\FlashFXP\4\Quick.dat]
Event:Create File[C:\ProgramData\FlashFXP\4\Sites.dat]
Event:Create File[C:\ProgramData\Frigate3]
Event:Create File[C:\ProgramData\FTP Explorer]
Event:Create File[C:\ProgramData\FTPRush]
Event:Create File[C:\ProgramData\GHISLER\wcx_ftp.ini]
Event:Create File[C:\ProgramData\GlobalSCAPE\CuteFTP Lite\]
Event:Create File[C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat]
Event:Create File[C:\ProgramData\GlobalSCAPE\CuteFTP Pro\]
Event:Create File[C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat]
Event:Create File[C:\ProgramData\GlobalSCAPE\CuteFTP\]
Event:Create File[C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat]
Event:Create File[C:\ProgramData\GPSoftware\Directory Opus\]
Event:Create File[C:\ProgramData\Ipswitch]
Event:Create File[C:\ProgramData\LeapWare\LeapFTP\]
Event:Create File[C:\ProgramData\SharedSettings.ccs]
Event:Create File[C:\ProgramData\SharedSettings.sqlite]
Event:Create File[C:\ProgramData\SharedSettings_1_0_5.ccs]
Event:Create File[C:\ProgramData\SharedSettings_1_0_5.sqlite]
Event:Create File[C:\ProgramData\SmartFTP]
Event:Create File[C:\ProgramData\TurboFTP]
Event:Create File[C:\ProgramData\VanDyke\Config\Sessions\]
Event:Create File[C:\Users\jsmith\AppData\Local\BitKinex]
Event:Create File[C:\Users\jsmith\AppData\Local\BulletProof Software]
Event:Create File[C:\Users\jsmith\AppData\Local\CoffeeCup Software\SharedSettings.ccs]
Event:Create File[C:\Users\jsmith\AppData\Local\CoffeeCup Software\SharedSettings.sqlite]
Event:Create File[C:\Users\jsmith\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs]
Event:Create File[C:\Users\jsmith\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite]
Event:Create File[C:\Users\jsmith\AppData\Local\CuteFTP]
Event:Create File[C:\Users\jsmith\AppData\Local\CuteFTP\sm.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\ExpanDrive\drives.js]
Event:Create File[C:\Users\jsmith\AppData\Local\FileZilla\filezilla.xml]
Event:Create File[C:\Users\jsmith\AppData\Local\FileZilla\recentservers.xml]
Event:Create File[C:\Users\jsmith\AppData\Local\FileZilla\sitemanager.xml]
Event:Create File[C:\Users\jsmith\AppData\Local\FlashFXP\3\History.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\FlashFXP\3\Quick.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\FlashFXP\3\Sites.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\FlashFXP\4\History.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\FlashFXP\4\Quick.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\FlashFXP\4\Sites.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\Frigate3]
Event:Create File[C:\Users\jsmith\AppData\Local\FTP Explorer]
Event:Create File[C:\Users\jsmith\AppData\Local\FTPRush]
Event:Create File[C:\Users\jsmith\AppData\Local\GHISLER\wcx_ftp.ini]
Event:Create File[C:\Users\jsmith\AppData\Local\GlobalSCAPE\CuteFTP Lite\]
Event:Create File[C:\Users\jsmith\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\GlobalSCAPE\CuteFTP Pro\]
Event:Create File[C:\Users\jsmith\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\GlobalSCAPE\CuteFTP\]
Event:Create File[C:\Users\jsmith\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat]
Event:Create File[C:\Users\jsmith\AppData\Local\GPSoftware\Directory Opus\]
Event:Create File[C:\Users\jsmith\AppData\Local\Ipswitch]
Event:Create File[C:\Users\jsmith\AppData\Local\LeapWare\LeapFTP\]
Event:Create File[C:\Users\jsmith\AppData\Local\SharedSettings.ccs]
Event:Create File[C:\Users\jsmith\AppData\Local\SharedSettings.sqlite]
Event:Create File[C:\Users\jsmith\AppData\Local\SharedSettings_1_0_5.ccs]
Event:Create File[C:\Users\jsmith\AppData\Local\SharedSettings_1_0_5.sqlite]
Event:Create File[C:\Users\jsmith\AppData\Local\SmartFTP]
Event:Create File[C:\Users\jsmith\AppData\Local\Temp\HWID]
Event:Create File[C:\Users\jsmith\AppData\Local\TurboFTP]
Event:Create File[C:\Users\jsmith\AppData\Local\VanDyke\Config\Sessions\]
Event:Create File[C:\Users\jsmith\AppData\Roaming\BitKinex]
Event:Create File[C:\Users\jsmith\AppData\Roaming\BulletProof Software]
Event:Create File[C:\Users\jsmith\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs]
Event:Create File[C:\Users\jsmith\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite]
Event:Create File[C:\Users\jsmith\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs]
Event:Create File[C:\Users\jsmith\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite]
Event:Create File[C:\Users\jsmith\AppData\Roaming\CuteFTP]
Event:Create File[C:\Users\jsmith\AppData\Roaming\CuteFTP\sm.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\ExpanDrive\drives.js]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FileZilla\filezilla.xml]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FileZilla\recentservers.xml]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FileZilla\sitemanager.xml]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FlashFXP\3\History.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FlashFXP\3\Quick.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FlashFXP\3\Sites.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FlashFXP\4\History.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FlashFXP\4\Quick.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FlashFXP\4\Sites.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\Frigate3]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FTP Explorer]
Event:Create File[C:\Users\jsmith\AppData\Roaming\FTPRush]
Event:Create File[C:\Users\jsmith\AppData\Roaming\GHISLER\wcx_ftp.ini]
Event:Create File[C:\Users\jsmith\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\]
Event:Create File[C:\Users\jsmith\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\]
Event:Create File[C:\Users\jsmith\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\GlobalSCAPE\CuteFTP\]
Event:Create File[C:\Users\jsmith\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat]
Event:Create File[C:\Users\jsmith\AppData\Roaming\GPSoftware\Directory Opus\]
Event:Create File[C:\Users\jsmith\AppData\Roaming\Ipswitch]
Event:Create File[C:\Users\jsmith\AppData\Roaming\LeapWare\LeapFTP\]
Event:Create File[C:\Users\jsmith\AppData\Roaming\SharedSettings.ccs]
Event:Create File[C:\Users\jsmith\AppData\Roaming\SharedSettings.sqlite]
Event:Create File[C:\Users\jsmith\AppData\Roaming\SharedSettings_1_0_5.ccs]
Event:Create File[C:\Users\jsmith\AppData\Roaming\SharedSettings_1_0_5.sqlite]
Event:Create File[C:\Users\jsmith\AppData\Roaming\SmartFTP]
Event:Create File[C:\Users\jsmith\AppData\Roaming\TurboFTP]
Event:Create File[C:\Users\jsmith\AppData\Roaming\VanDyke\Config\Sessions\]
Event:Create File[C:\Users\jsmith\wcx_ftp.ini]

===============================
=== Network Events ===
===============================
Loan_08082013.exe [Process Id: 2792]
=> TCP IPv4 XXX.XXX.134.4:49192 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49193 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49194 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49195 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49198 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49199 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49200 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49202 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49203 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49204 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49205 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49207 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49210 <==> 50.57.185.72:8080
=> TCP IPv4 XXX.XXX.134.4:49211 <==> 50.57.185.72:8080

We will continue to investigate this malware, and will publish additional updates as they are discovered.

==================================================

Filename : Loan_08082013.exe
MD5 : 0154a9a797601360f95bcee7639889ba
SHA1 : 122568677f2a4649f154d33a7a46708dcabdcaab
SHA-256 : 3053228169c07c2438052223f914cf57e4b5b717ed60a4ed073e831d1970d5ae
File Size : 118,272
==================================================

Update 2013-10-22

As our colleague@kafeine pointed out, this sample is related to  Fareit/Pony. More on pony : http://malware.dontneedcoffee.com/2012/06/inside-pony-17.html