Recslurp Trojan steals FTP and Email credentials (July 26, 2013)

The Dell SonicWall Threats Research team has received reports of a Trojan that steals FTP and Email credentials. If certain configuration files are present on the system it will extract the contained account information and send it in encrypted form to a remote server. We have observed threats of this nature before such as one from a different malware family in a previous SonicALERT.

Infection cycle:

The Trojan adds the following files to the filesystem:

• %APPDATA%svchost.exe (copy of original, marked hidden)
• %APPDATA%System32csrss.exe (copy of original, marked hidden)
• %APPDATA%System32rundll32.exe (copy of original, marked hidden)

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Client Server Runtime Process "%APPDATA%System32csrss.exe"
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) "%APPDATA%System32csrss.exe"
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Service Host Process for Windows "%APPDATA%svchost.exe"
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Process "%APPDATA%System32csrss.exe"
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) "%APPDATA%System32csrss.exe"
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Service Host Process for Windows %APPDATA%svchost.exe"

The Trojan adds the following keys to the Windows registry to allow network data from the dropped executables to pass through the Windows Firewall:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Client Server Runtime Process "%APPDATA%System32csrss.exe"
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Host-process Windows (Rundll32.exe) "%APPDATA%System32csrss.exe"
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Service Host Process for Windows "%APPDATA%svchost.exe"

The Trojan makes the following DNS queries although it did not interact with any mail servers during our analysis:

Below is a sample of the FTP and Email configuration files from which it steals credentials if present:

%APPDATA%Opera 10 Betawand.dat
%APPDATA%Apple ComputerSafariPreferenceskeychain.plist
%APPDATA%MozillaFirefoxProfiles53iioyks.defaultsignons.txt
%ALLUSERSPROFILE%Application DataGPSoftwareDirectory OpusConfigFilesftp.oxc
%USERPROFILE%Local SettingsApplication DataFTP Explorerprofiles.xml
%APPDATA%Frigate3FtpSite.XML
%APPDATA%FTPRushRushSite.xml
%APPDATA%BitKinexbitkinex.ds
%ALLUSERSPROFILE%Application DataSmartFTPHistory.dat
%ALLUSERSPROFILE%Application DataBulletProof SoftwareBulletProof FTP Client2010Default.bps
%ALLUSERSPROFILE%Application DataFlashFXP4Sites.dat
%USERPROFILE%Local SettingsApplication DataIpswitchWS_FTP HomeSites*.*
%USERPROFILE%Local SettingsApplication DataMicrosoftWindows Live Mail*.*
%APPDATA%PocoMailaccounts.ini

The Trojan downloads a malicious executable from a remote server. The file is encrypted. We were able to identify and observe the decryption routine in action:

Upon installing WS_FTP on our analysis system and entering fake FTP account data we observed the following data being sent out to a remote server as a result:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Recslurp.A_4 (Trojan)
• GAV: Delf.OAS (Trojan)
• GAV: Delf.OAS#enc (Trojan)