Beware of the fake FileZilla web.

Beware of fake FileZilla web. Download instead of using software, but malware instead.

FileZilla may be another familiar tool of those who work on websites or networks that require the uploading or downloading of files through the FTP protocol, and that has become another target for hackers to seduce those who work with networks and websites with malware spoofing.

According to a report by the official website of the anti-malware developer, Malwarebytes has mentioned the detection of a fake Filezilla website used to spread a 3.69.5 version of the FileZilla software installation file with malware embedded inside. The malware is intended to steal the victim's FTP system access password, as well as to act as the back door of the system, or Backdoor, so that the hackers behind it can log in to the victim's system later. This malware software is released through a fake website named similar to the real FileZilla website, such as filezilla-project [.] live, and this malware-contaminated software is not called fake software. This is because it takes the file of the real portable version 3.69.5 of the FileZilla software, but one malware DLL file has been added.

For real FileZilla, two DLL files are used. This is a DLL file that is a unique library of FileZilla like libfilezilla-500.dll and 3-69-5 dll, but there is no version .dll file, which is a Windows Version API file, which is usually contained within the System folder of Windows (C: WindowsSystem32), not a file associated with FileZilla.

The research team was able to detect a number of DLL files. In this part, Windows will check the software folder that contains the necessary DLL files and then check the Windows system folder. In the first phase, it will load DLL files, system libraries like IPHLPAPI.DLL and POWRPROF.dll. Of course, there is no way to find them in the software folder, so the results will be answered. The first return is NAME NOT FOUND or not found, and Windows will load the file from the system folder instead.

But the version .dll file was detected inside the software folder, so it was loaded instead of loading the normal version .dll file from the system folder. The file was verified by the research team and found that it was a file of malware. But what the malware mixed up the software made a mistake was that the malware was programmed to load the version _ origin.dll file, a file that took the normal version .dll that should be loaded from the system folder to name the DLL Proxy technique to allow the software to load the function that should be normal while the malware code was running in parallel, but the research team received that the file was not inserted, causing the software to malfunction. Until able to catch the wrong

In the field of malware DLL file operation, it starts by checking whether the malware is currently running under Virtual Machine or Sandbox replication, before releasing the real malware file (Payload) using various Behavioural Check techniques such as BIOS version check, Virtual Box register number, Memory Allocation etc.

After checking the operating environment and finding everything safe, the malware contacts the control server (C2 or Command and Control) by sending an HTTPS Request to Cloudflare's Public Resolver by sending it to the URL.

https: / / 1 [.] 1.1.1 / dns-query? name = welcome. sup0v3 [.] com & type = A

This is a technique called DNS-over-HTTPS or DOH that avoids being detected by the enterprise DNS Monitor. After the Resolver converts the value into the domain of the C2 server, the Loader malware returns the call back to the C2 server. According to the research team, the memory analysis method has led to the detection of the Configuration embedded in the Runtime section.

{

"Tag": "tbs,"

"referrer": "dll,"

"callback": ""

}

In addition to the DOH Call Back method, the malware also contacts the IP number 95.216.51.236 via TCP port number 31415, a non-standard port on Hetzner's host service to provide a second channel to contact C2 servers. In addition, the use of this channel allows traffic with general information to break through firewall protection.

When analyzing the malware's behavior, it was found that the malware, in addition to having the ability to steal the password entered by the victim on the software to upload FTP files, also detected the ability to insert the malware's own code into the Process Injection, created persistence on the victim's system with a Registry modification, so that the malware can be restarted at any time, as well as detected that it may be transmitted by encryption. It is called a very versatile malware.

# Trending # Lemon 8 Howtoo # lemon 8 diary # freedomhack # filrzilla