Recslurp Trojan steals FTP and Email credentials

July 26, 2013

The Dell SonicWall Threats Research team has received reports of a Trojan that steals FTP and Email credentials. If certain configuration files are present on the system it will extract the contained account information and send it in encrypted form to a remote server. We have observed threats of this nature before such as one from a different malware family in a previous SonicALERT.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %APPDATA%svchost.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]
  • %APPDATA%System32csrss.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]
  • %APPDATA%System32rundll32.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Client Server Runtime Process "%APPDATA%System32csrss.exe"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) "%APPDATA%System32csrss.exe"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Service Host Process for Windows "%APPDATA%svchost.exe"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Process "%APPDATA%System32csrss.exe"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) "%APPDATA%System32csrss.exe"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Service Host Process for Windows %APPDATA%svchost.exe"

The Trojan adds the following keys to the Windows registry to allow network data from the dropped executables to pass through the Windows Firewall:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Client Server Runtime Process "%APPDATA%System32csrss.exe"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Host-process Windows (Rundll32.exe) "%APPDATA%System32csrss.exe"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Service Host Process for Windows "%APPDATA%svchost.exe"

The Trojan makes the following DNS queries although it did not interact with any mail servers during our analysis:

Below is a sample of the FTP and Email configuration files from which it steals credentials if present:

      %APPDATA%Opera 10 Betawand.dat
      %APPDATA%Apple ComputerSafariPreferenceskeychain.plist
      %APPDATA%MozillaFirefoxProfiles53iioyks.defaultsignons.txt
      %ALLUSERSPROFILE%Application DataGPSoftwareDirectory OpusConfigFilesftp.oxc
      %USERPROFILE%Local SettingsApplication DataFTP Explorerprofiles.xml
      %APPDATA%Frigate3FtpSite.XML
      %APPDATA%FTPRushRushSite.xml
      %APPDATA%BitKinexbitkinex.ds
      %ALLUSERSPROFILE%Application DataSmartFTPHistory.dat
      %ALLUSERSPROFILE%Application DataBulletProof SoftwareBulletProof FTP Client2010Default.bps
      %ALLUSERSPROFILE%Application DataFlashFXP4Sites.dat
      %USERPROFILE%Local SettingsApplication DataIpswitchWS_FTP HomeSites*.*
      %USERPROFILE%Local SettingsApplication DataMicrosoftWindows Live Mail*.*
      %APPDATA%PocoMailaccounts.ini

The Trojan downloads a malicious executable from a remote server. The file [Detected as GAV: Delf.OAS (Trojan)] is encrypted. We were able to identify and observe the decryption routine in action:

Upon installing WS_FTP on our analysis system and entering fake FTP account data we observed the following data being sent out to a remote server as a result:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Recslurp.A_4 (Trojan)
  • GAV: Delf.OAS (Trojan)
  • GAV: Delf.OAS#enc (Trojan)