A recent cybersecurity threat has been identified involving fake websites that mimic the official FileZilla download page, leading to the distribution of a Remote Access Trojan (RAT). These deceptive sites are crafted to look like the genuine FileZilla site, tricking users into downloading a tainted installer, which compromises Windows systems.
Deceptive Websites and Malicious Downloads
The attackers have replicated the appearance of the FileZilla download page to deliver a malicious package. This package includes a legitimate version of FileZilla along with a concealed malicious DLL file. The fake domain is designed to closely resemble the authentic FileZilla site, misleading users into downloading harmful software.
Upon installation, the legitimate FileZilla program operates as expected, while the hidden malicious code runs discreetly in the background. This tactic is particularly effective because it doesn’t exploit any software vulnerabilities, relying solely on social engineering to deceive victims.
Technical Details of the Attack
Security analysts from EST Security have detected this campaign by examining malware samples. The operation involves two primary delivery methods. The first method distributes FileZilla 3.69.5 Portable in a compressed archive containing a malicious DLL named version.dll. When executed, Windows loads this DLL before legitimate libraries, a technique known as DLL sideloading.
In the second method, both the legitimate FileZilla installer and the malicious DLL are packed into a single executable. This executable silently installs the DLL in the directory, activating every time FileZilla is launched, ultimately deploying a fully functional RAT.
Implications and Defense Measures
Once the RAT is active, it allows attackers to steal credentials, log keystrokes, capture desktop screenshots, and control the machine through a hidden virtual desktop session using HVNC. This enables further malware downloads and system navigation without visible signs of intrusion.
The sophistication of this campaign lies in its multi-stage loader architecture. The malicious DLL initiates a series of four loader stages, each decrypting and executing the next within system memory, making detection challenging. The malware communicates with its command-and-control server using DNS-over-HTTPS, masking its traffic as normal HTTPS queries.
Security experts emphasize the importance of downloading software only from official sources and maintaining vigilance against unfamiliar links. To combat such threats, organizations should monitor HTTPS traffic towards public DNS resolvers and employ behavior-based detection tools that can identify in-memory threats.
Users and security teams must stay informed and adopt safer download practices to defend against these sophisticated malware campaigns.
