Filezilla Trojan (Win32:Stealer) Silently Steals FTP Login Credentials
If you plan on downloading FileZilla, make sure you grab it from the official FileZilla website or Sourceforge and not some random website peddling the popular FTP client.
Otherwise you run the risk of downloading a Trojanized copy that’s been modified to steal your FTP credentials.
Evil copies of Filezilla aren’t anything new, but antivirus firm Avast and the Filezilla Project are urging users to be extra cautious after stumbling upon one of the largest campaigns promoting tainted copies of Filezilla via hacked third-party websites.
Users that unwittingly download the Trojan edition of FileZilla may not even realize that they’ve fallen victim to its login stealing antics until it’s too late. The Trojan looks exactly like Filezilla and is fully functional.
The only discrepancies are the file size (Trojan is a teensy bit smaller), 2 extra DLL libraries that are not included in the legitimate version (ibgcc_s_dw2-1.dll & libstdc++-6.dll), program updating issues, and information under the ‘About Filezilla’ window revealing the use of older SQLite/GnuTLS versions.
Whenever victims use the Trojan, their FTP login credentials are encoded using a custom bas64 algorithm and shipped off to a server in Germany, allowing the attackers to use them as they please. It is assumed that they will use the stolen FTP login to spread more malware.
The Filezilla Trojan boasts an extremely low antivirus detection rate, with only Avast and Ikarus being able to detect the threat. Avast identifies the malware was Win32:Stealer-AY[Trj] while Ikarus simply calls it Win32:Stealer.
Protecting Your PC from the Fake Filezilla Trojan (Win32:Stealer)
To help keep your computer safe, the Filezilla Project recommends that you:
- Only download Filezilla from:
- Verify authenticity by checking the SHA-512 hash of the unmodified file, both of which are available on the filezilla-project.org website (aka the official Filezilla website).