Unusual file-infecting malware steals FTP credentials, researchers say

About 70 percent of computers infected with this threat are in the US, according to antivirus firm Trend Micro

A new version of a file-infecting malware program that's being distributed through drive-by download attacks is also capable of stealing FTP (File Transfer Protocol) credentials, according to security researchers from antivirus firm Trend Micro.

The newly discovered variant is part of the PE_EXPIRO family of file infectors that was identified in 2010, the Trend Micro researchers said Monday in a blog post. However, this version's information theft routine is unusual for this type of malware.

The new threat is distributed by luring users to malicious websites that host Java and PDF exploits as part of an exploit toolkit. If visitors' browser plug-ins are not up to date, the malware will be installed on their computers.

The Java exploits are for the CVE-2012-1723 and CVE-2013-1493 remote code execution vulnerabilities that were patched by Oracle in June 2012 and March 2013 respectively.

Based on information shared by Trend Micro via email, a spike in infections with this new EXPIRO variant was recorded on July 11. "About 70 percent of total infections are within the United States," the researchers said in the blog post.

Once the new EXPIRO variant runs on a system, it searches for .EXE files on all local, removable and networked drives, and adds its malicious code to them. In addition, it collects information about the system and its users, including Windows log-in credentials, and steals FTP credentials from a popular open-source FTP client called FileZilla.

The stolen information is stored in a file with a .DLL extension and is uploaded to the malware's command and control servers.

"The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools," the Trend Micro researchers said.

The theft of FTP credentials suggests that the attackers are either trying to compromise websites or are trying to steal information from organizations that is stored on FTP servers. However, it doesn't appear that this threat is targeting any industry in particular, the Trend Micro researchers said via email.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Oraclemalwaretrend microExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?