Tried, Tested and Proven

Monthly Archives: October 2013

The following is part 2 of a series of 3 blog posts. In this article we go through the preparation stage that is undertaken to later exfiltrate the stolen data, which starts with connecting to a remote FTP server and goes on with temporarily storing the data in the host that will be later sent to the attacker.

Part 1 focussed on a one-shot information stealing malware. If you have missed the first article, please click here!

Connecting to the FTP server

The malware will initially retrieve the local date/time in the following format: “d-m-y_h-m-s”. Continue reading

The following is part 1 of a series of 3 blog posts, in which we go through an information stealing malware. We will be discussing the type of information it is interested in, as well as the way it stores and sends this information to the malicious FTP server. Furthermore, we will do an overview of a few Anti-Reversing tricks that we located during the analysis of this malware.

Introduction

Recently, we identified a malware sample, the sole purpose of which was to steal information, including login credentials and other host related information. This is, of course, nothing new. What we found interesting about this particular sample, was that the malware does not attempt to achieve persistence on the ‘infected’ host. Continue reading