We recently came across a Trojan that steals image files of .jpg, .jpeg extensions, and Windows memory dumps (.dmp) from victims’ machines and uploads them to an FTP address hardcoded in the malware.
This Trojan silently opens a command line and copies those image files found on the C, D, and E drives to the C drive. These collected file are then sent to an FTP server.
We suspect this malware is in its first stage of development for information theft, and we expect it to return as a more sophisticated attack. The stolen image files could be used for blackmailing the victims and demanding a ransom. We are aware of nude pictures of celebrities stolen a few months back. This malware could be deployed for a similar operation.
We also suspect the attackers would like to learn about vulnerabilities on the victims’ machines; perhaps that is why they are looking for .dmp files, which carry data “dumped” from a program’s memory space. They are often created when a program has an error in coding and crashes.
Gathering .dmp files could by a typo by the malware authors, who might have sought .bmp image files instead.
After collecting the files, the malware connects to an FTP link : 176.x.xxx.90 and logs in with username “wasitnew” and password “qiw2e3r4t5y6.”
Using Wireshark, we can see below that an image file-autumn.jpg-has been uploaded via FTP after authenticating.
We noticed the FTP server died on November 5.
This malware can evolve with more sophisticated code and cause more harm. Since 2008 we have seen image files carrying embedded image files within. Malware authors sometimes hide their commands behind an image file using steganography.
We advise our customers to pay extra attention when they save any file type while online and to keep their antimalware software updated.
Leave a reply