Threat Research

Not-So-Cute FTP Attack

By Danny Choi | August 27, 2013

Spear phishing attacks are increasing today and the FBI has even issued a warning to the public due to its ability to target multiple organizations. Such attacks are considered as a part of APTs (Advanced Persistent Threats), which attempt to gain a foothold in the network of an organization.

Recently, my email inbox has received two spam emails with suspicious attachments. A screenshot of one of the emails can be seen below:

Not So Cute FTP Attack Fig 1

Figure 1: Spam email.

I have collected the attachments of the two emails and found that they are the same file, which Fortinet detects as W32/Tepfer.D8A1!tr, a trojan that targets FTP clients. FTP clients are used in many corporations for secure file transferring and the malware is basically targetting these to steal any confidential information.

This type of trojan has already been discussed in a previous post. And in this blog post, I will show you how this particular malware steals user information from FTP software, using specific Windows API functions.

CuteFTP: Stealing the data file, "sm.dat"

Similar to W32/Kryptik.AX!tr, this malware targets lots of FTP software, but here I will discuss its attack on a particular FTP client called CuteFTP, with which the malware actually starts off.

The malware sample attached in the email was packed and after unpacking, all the data strings and functions were explicitly revealed.

Not So Cute FTP Attack Fig 2

Figure 2: Strings related to FTP software.

The above data strings provide a good assumption that it is going to seek for "sm.dat" file which stands for "site manager data". Since this file contains information about user's FTP sites, log in usernames, and passwords, finding such strings is a good indicator of what this malware will attempt to do.

To demonstarte how it actually targets the file, I have decided to install the CuteFTP on my sandbox, and see where this file is located.

Not So Cute FTP Attack Fig 3

Figure 3: CuteFTP path.

After installing, InstallWatch shows the exact path of the file. In order to harvest the contents in it, the malware has to somehow navigate to this location.

There are basically two methods of finding the path: parsing the UninstallString data and calling SHGetFolderPath.

Registry Key, "UninstallString" Query

If you look at the "Add or Remove Programs" list in the Control Panel, you will be able to see the currently installed programs. These programs can be removed using the "\Uninstall" registry key which contains the path of the uninstaller.

This malware assumes that the "sm.dat" file can be located in the same path and thus, queries the registry values for each Uninstall key, as shown below.

Not So Cute FTP Attack Fig 4

Figure 4: Checking the registry.

After several routines, the malware collects all the values and stores them in memory as shown below.

Not So Cute FTP Attack Fig 5

Figure 5: Uninstall information in memory.

Then, the malware parses each uninstall path string to look for the string pattern "CUTEFTP", which it assumes that is the directory name where the data file is located. Thus it calls the StrStrIA function which looks for a certain pattern in a string, as shown below.

Not So Cute FTP Attack Fig 6

Figure 6: Searching for "CUTEFTP".

Since CuteFTP was installed in my system using the InstallShield tool, which stores the uninstaller in this tool's path, the malware was not able to find the pattern.

The malware, however, takes the next step in finding the location.

Calling SHGetFolderPath with CSIDL (Constant Special Item ID List)

The next step involves using the API function SHGetFolderPath, which is often used by many applications to get the path of a folder that it needs according to the CSIDL (contant special item ID list) value.

Not So Cute FTP Attack Fig 7

Figure 7: Calling SHGetFolderPath.

As shown in the figure above, there is a value pushed for each call to the routine: 0x1A, 0x23, 0x1C, and 0x26. These numbers represent the CSIDL (constant special item ID list) values, which are defined in the table below.

Not So Cute FTP Attack Tab 1

Table 1: CSIDL values.

The first CSIDL hex value, 0x1A, seems to be the right start for the malware since we know that the data file is located in the Application Data folder. By calling the ShGetFolderPath function using the value, it retrieves the path, as shown below.

Not So Cute FTP Attack Fig 8

Figure 8: Application Data folder.

Then it calls the 'lstrcat' function to append its predefined data string "\GlobalSCAPE\CuteFTP", which is assumed to be the folder where the "sm.dat" file can be found.

Not So Cute FTP Attack Fig 9

Figure 9: Forming the path.

After that, it appends "\sm.dat".

Not So Cute FTP Attack Fig 10

Figure 10: Forming the path.

Now that the path to the file is set, it calls the CreateFileA function to open the file, as shown below.

Not So Cute FTP Attack Fig 11

Figure 11: Attempt to open "sm.dat".

Unfortunately, this would not find the file because it is actually located in the subfolder named "9.0", as was shown in Figure 2.

Well, the malware is not about to quit its searching when it is only one folder away from its target. The next thing it does is to try to look for any possible folder in the current path by calling the FindFirstFileA function.

Not So Cute FTP Attack Fig 12

Figure 12: Finding the right path.

After finding the folder named "9.0", it appends the string to the CuteFTP path, then appends "\sm.dat" again to search for the file.

Not So Cute FTP Attack Fig 13

Figure 13. Finding "sm.dat".

It then calls CreateFileA again to open the file.

Not So Cute FTP Attack Fig 14

Figure 14: Opening the "sm.dat" file.

The call is successful, which then returns an open handle of the file.

Not So Cute FTP Attack Fig 15

Figure 15: Handle of successfully opened file.

Using the handle, the malware finally calls the functions CreateFileMapping and MapViewOfFile to map the file into memory.

Not So Cute FTP Attack Fig 16

Figure 16: Mapping the file into memory.

MapViewOfFile returns the memory address of the mapped file, which now contains the contents of "sm.dat".

For the purpose of this analysis, I had created a mock FTP site along with login credentials which now can be viewed in memory, as shown below:

Not So Cute FTP Attack Fig 17

Figure 17: Mock FTP Site and Site Manager data.

Using the login credentials in this data file, the malware author can now attempt to log into the FTP site(s) for their own purposes.

In the same manner, the malware harvests confidential information by seeking the data files of other FTP client software, such as FireZilla, FlashFXP, etc.

There are certainly ways to avoid having your data compromised by malware such as this. As seen in Figure 17, the username and password that I have entered for the CuteFTP set up is not human readable in the data file. The malware author would have to decode the binary to acquire the actual login information. Additionally, CuteFTP 9.0 is equipped with security options to encrypt site manager and also has options for password protection, as seen in Figure 18 below.

Not So Cute FTP Attack Fig 18

Figure 18: Global Options Security Window from CuteFTP 9.0

If these options are used, it would give additional challenges for the malware author to gain a foothold using this stolen data.

Also, since this malware looks for certain directories using CSIDL values shown in Table 1 above, it might be good practice for the user to select different folder locations for the site manager path in addition to choosing the security options that are provided by the software.

In conclusion, being targetted by cybercriminals is something that all organizations should think is inevitable, and thus, should do the necessary precautions to prevent these attacks from being successful.

Danny Choi is an Antivirus Analyst with FortiGuard Labs

Additional content from Margarette Joven

Join the Discussion