Recslurp Trojan steals FTP and Email credentials (July 26, 2013)
The Dell SonicWall Threats Research team has received reports of a Trojan that steals FTP and Email credentials. If certain configuration files are present on the system it will extract the contained account information and send it in encrypted form to a remote server. We have observed threats of this nature before such as one from a different malware family in a previous SonicALERT.
Infection cycle:
The Trojan adds the following files to the filesystem:
- %APPDATA%svchost.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]
- %APPDATA%System32csrss.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]
- %APPDATA%System32rundll32.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]
The Trojan adds the following keys to the Windows registry to enable startup after reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Client Server Runtime Process “%APPDATA%System32csrss.exe”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) “%APPDATA%System32csrss.exe”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Service Host Process for Windows “%APPDATA%svchost.exe”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Process “%APPDATA%System32csrss.exe”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) “%APPDATA%System32csrss.exe”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Service Host Process for Windows %APPDATA%svchost.exe”
The Trojan adds the following keys to the Windows registry to allow network data from the dropped executables to pass through the Windows Firewall:
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Client Server Runtime Process “%APPDATA%System32csrss.exe”
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Host-process Windows (Rundll32.exe) “%APPDATA%System32csrss.exe”
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Service Host Process for Windows “%APPDATA%svchost.exe”
The Trojan makes the following DNS queries although it did not interact with any mail servers during our analysis:
Below is a sample of the FTP and Email configuration files from which it steals credentials if present:
%APPDATA%Opera 10 Betawand.dat%APPDATA%Apple ComputerSafariPreferenceskeychain.plist%APPDATA%MozillaFirefoxProfiles53iioyks.defaultsignons.txt%ALLUSERSPROFILE%Application DataGPSoftwareDirectory OpusConfigFilesftp.oxc%USERPROFILE%Local SettingsApplication DataFTP Explorerprofiles.xml%APPDATA%Frigate3FtpSite.XML%APPDATA%FTPRushRushSite.xml%APPDATA%BitKinexbitkinex.ds%ALLUSERSPROFILE%Application DataSmartFTPHistory.dat%ALLUSERSPROFILE%Application DataBulletProof SoftwareBulletProof FTP Client2010Default.bps%ALLUSERSPROFILE%Application DataFlashFXP4Sites.dat%USERPROFILE%Local SettingsApplication DataIpswitchWS_FTP HomeSites*.*%USERPROFILE%Local SettingsApplication DataMicrosoftWindows Live Mail*.*%APPDATA%PocoMailaccounts.iniThe Trojan downloads a malicious executable from a remote server. The file [Detected as GAV: Delf.OAS (Trojan)] is encrypted. We were able to identify and observe the decryption routine in action:
Upon installing WS_FTP on our analysis system and entering fake FTP account data we observed the following data being sent out to a remote server as a result:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Recslurp.A_4 (Trojan)
- GAV: Delf.OAS (Trojan)
- GAV: Delf.OAS#enc (Trojan)
