Beware: Fake FileZilla Downloads Deliver Stealthy Remote Access Trojans
A recent cybersecurity investigation has uncovered a deceptive campaign where cybercriminals distribute Remote Access Trojans (RATs) through counterfeit websites mimicking the official FileZilla download page. These fraudulent sites are meticulously designed to resemble the legitimate FileZilla website, aiming to deceive users into downloading malicious installer files. The primary objective is to covertly compromise Windows systems under the guise of installing a trusted FTP client.
Mechanism of the Attack
The attackers employ a sophisticated method by bundling a genuine copy of FileZilla with a concealed malicious Dynamic Link Library (DLL) file. This package is disseminated through a fake domain that closely mirrors the authentic FileZilla site. Upon downloading and executing the installer, the standard installation process appears normal to the user. However, in the background, the malicious code is executed silently, leaving no visible signs of infection.
Security analysts from EST Security identified this campaign after analyzing malware samples from their threat detection systems, confirming it as an active and coordinated operation orchestrated by a specific threat actor.
Delivery Formats and Techniques
The investigation revealed two distinct delivery formats:
1. Compressed Archive Method: In this approach, FileZilla 3.69.5 Portable is distributed within a compressed archive that includes a malicious DLL named `version.dll`. When the user extracts and runs the FileZilla executable, Windows loads the malicious DLL before any legitimate library—a technique known as DLL sideloading. This method exploits the default DLL loading order in Windows to execute the malicious code.
2. Single Executable Method: Here, both the legitimate FileZilla installer and the malicious DLL are packed into a single executable file. During installation, the DLL is silently dropped into the directory and loads each time FileZilla starts.
Capabilities of the Remote Access Trojan
Once activated on a victim’s system, the RAT provides attackers with extensive control and surveillance capabilities, including:
– Credential Theft: Extracting login information stored in web browsers.
– Keystroke Logging: Recording every keystroke made by the user.
– Screen Capture: Taking live screenshots of the desktop environment.
– Hidden Remote Control: Utilizing Hidden Virtual Network Computing (HVNC) to establish a concealed virtual desktop session. This feature allows attackers to download additional malware and navigate internal systems without the victim’s knowledge, as no suspicious activity appears on the visible screen.
Implications and Concerns
This campaign is particularly alarming because it does not exploit any software vulnerabilities. Instead, it relies entirely on social engineering tactics—convincing users to download and run what appears to be legitimate software. This approach renders traditional patch management ineffective against the threat, emphasizing the critical importance of user awareness and safe downloading practices.
Multi-Stage Loader Architecture and Evasion Techniques
The malware employs a multi-stage loader architecture to evade detection:
1. Sequential Loader Stages: After the malicious DLL is loaded, it initiates a chain of four sequential loader stages. Each stage decrypts and executes the next entirely within system memory, avoiding the creation of suspicious files on disk. This layered design complicates detection by security tools, as each stage exists only briefly in memory and leaves minimal traces.
2. Command-and-Control Communication: The malware uses DNS-over-HTTPS (DoH) for command-and-control communication. It sends encrypted HTTPS requests to Cloudflare’s public resolver at 1.1.1.1 to resolve the C2 domain `welcome.supp0v3.com`. This technique conceals the malicious DNS lookup within ordinary-looking HTTPS traffic, effectively bypassing traditional DNS monitoring tools and port-53 filters that security teams rely upon.
Recommendations for Users
To protect against such deceptive campaigns, users are advised to:
– Verify Download Sources: Always download software from official and verified websites. Be cautious of domains that closely resemble legitimate sites but may have slight variations.
– Check Digital Signatures: Before executing downloaded files, verify their digital signatures to ensure authenticity.
– Maintain Updated Security Software: Keep antivirus and anti-malware programs up to date to detect and prevent the execution of malicious code.
– Exercise Caution with Downloads: Be wary of unsolicited download links received via email or found on untrusted websites.
– Educate and Train: Regularly educate yourself and others about the latest phishing and social engineering tactics used by cybercriminals.
Conclusion
The discovery of this malware campaign underscores the evolving tactics of cybercriminals who exploit user trust in reputable software to distribute malicious payloads. By staying vigilant and adopting robust cybersecurity practices, users can mitigate the risks associated with such deceptive schemes.
