Recslurp Trojan steals FTP and Email credentials (July 26, 2013)


The Dell SonicWall Threats Research team has received reports of a Trojan that steals FTP and Email credentials. If certain configuration files are present on the system it will extract the contained account information and send it in encrypted form to a remote server. We have observed threats of this nature before such as one from a different malware family in a previous SonicALERT.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %APPDATA%svchost.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]
  • %APPDATA%System32csrss.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]
  • %APPDATA%System32rundll32.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Client Server Runtime Process “%APPDATA%System32csrss.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) “%APPDATA%System32csrss.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Service Host Process for Windows “%APPDATA%svchost.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Process “%APPDATA%System32csrss.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) “%APPDATA%System32csrss.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Service Host Process for Windows %APPDATA%svchost.exe”

The Trojan adds the following keys to the Windows registry to allow network data from the dropped executables to pass through the Windows Firewall:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Client Server Runtime Process “%APPDATA%System32csrss.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Host-process Windows (Rundll32.exe) “%APPDATA%System32csrss.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Service Host Process for Windows “%APPDATA%svchost.exe”

The Trojan makes the following DNS queries although it did not interact with any mail servers during our analysis:

Below is a sample of the FTP and Email configuration files from which it steals credentials if present:

      %APPDATA%Opera 10 Betawand.dat
      %APPDATA%Apple ComputerSafariPreferenceskeychain.plist
      %ALLUSERSPROFILE%Application DataGPSoftwareDirectory OpusConfigFilesftp.oxc
      %USERPROFILE%Local SettingsApplication DataFTP Explorerprofiles.xml
      %ALLUSERSPROFILE%Application DataSmartFTPHistory.dat
      %ALLUSERSPROFILE%Application DataBulletProof SoftwareBulletProof FTP Client2010Default.bps
      %ALLUSERSPROFILE%Application DataFlashFXP4Sites.dat
      %USERPROFILE%Local SettingsApplication DataIpswitchWS_FTP HomeSites*.*
      %USERPROFILE%Local SettingsApplication DataMicrosoftWindows Live Mail*.*

The Trojan downloads a malicious executable from a remote server. The file [Detected as GAV: Delf.OAS (Trojan)] is encrypted. We were able to identify and observe the decryption routine in action:

Upon installing WS_FTP on our analysis system and entering fake FTP account data we observed the following data being sent out to a remote server as a result:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Recslurp.A_4 (Trojan)
  • GAV: Delf.OAS (Trojan)
  • GAV: Delf.OAS#enc (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.