Unfolding Agent Tesla: The Art of Credentials Harvesting. Stealing FTP Getter Credentials
Analysis of Agent Tesla, A Close Look at Password Theft Technique
— Part — 14 — Stealing FTP Getter Credentials
“FTP Getter” appears to be a generic term that could refer to any FTP client software or utility used to interact with FTP servers for file transfers. There are various FTP client applications available, both free and paid, that allow users to connect to FTP servers, upload and download files, and manage their FTP connections.
The exploit starts by looking at path “AppData\Roaming\FTPGetter\servers.xml”
So, I updated the path of ftp getter because I was testing on portable to see how it extract the creds, usually it uses roaming\ftpgetter.
It follows these steps.
- Reading XML Data: The code reads XML data stored as an array of strings.
- Looping Through Lines: It then iterates through each line of the XML data.
- Extracting Server IP: Within each line, it checks for the presence of the “<server_ip>” tag. If found, it extracts the value enclosed between “<server_ip>” and “</server_ip>”, which typically represents the server’s IP address.
- Retrieving Server Username: Similarly, the code searches for the “<server_user_name>” tag and extracts the value between “<server_user_name>” and “</server_user_name>”, which contains the server’s username.
- Extracting Password: Finally, it looks for the “<server_user_password>” tag and extracts the value between “<server_user_password>” and “</server_user_password>”, which contains the server’s password.
It seems that FTP Getter stores passwords in plain text within its XML configuration files. In this case, an attacker can simply extract the passwords from these XML files and save them in a list for potential malicious use, such as unauthorized access to FTP accounts. Storing passwords in plain text is a significant security risk, as it makes it easier for attackers to steal sensitive credentials.
Parts
Part — 1 — Dropper Analysis
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137
Part — 2 — Browsers Stealing
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-2d565c68db0d
Part — 3- Discovery & Exfiltration
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-7a77f69435ee
Part — 4 — Stealing FileZilla
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-d30da9c36988
Part — 5 — Stealing The BAT! EMAIL CLIENT
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-c3fe4854775b
Part — 6 — Stealing Outlook Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-de3737f9d66e
Part — 7 — Stealing Trillian Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-afa2dd6e9de7
Part — 8 — Stealing MailBird Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-e5501af1c942
Part — 9 — Stealing WinSCP Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-55e7b2c64d60
Part — 10 — Stealing Core FTP LE Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-cdce40f6a747
Part — 11 — Stealing WinSCP Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-db9bb6698041
Part — 12 — Stealing FTP Navigator Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-59818a3686a3
Part — 13 — Stealing FTP Commander Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-7d01a41d554b
Part — 14 — Stealing FTP Getter Credentials
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-fe5ff29cc93c