In late 2013­­­–early 2014, a compromised FTP client dubbed “StealZilla,” based off the open source FileZilla FTP client was discovered. The attackers modified a few lines of code, recompiled the program, and disbursed the trojanized version on compromised web servers. This new attack appears to involve the same actors who reused the same techniques to alter the source code of the widely used open source Telnet/SSH client, PuTTY, and used their network of compromised web servers to serve up similar fake Putty download pages. This new campaign is like the StealZilla campaign in almost every way. This trojanized version of PuTTY harvests credentials and relays the information back to a collection server in the same way too. The operation is very quick and quiet. Login details are sent to attackers using an HTTP GET connection ONLY once.

The primary mode of infection relies on users to search for PuTTY and follow a link to a fake mirror rather than the legitimate PuTTY page. To increase the chances users reach the malicious mirrors, the attackers have used search engine optimization techniques. Some HTML pages hosted on the compromised servers reference PuTTY for Mac, PuTTY for Android platforms, or even more obscure things like PuTTY and shampoo, for example. The malicious PUTTY.exe (MD5 b5c88d5af37afd13f89957150f9311ca) comes in the PE format, just like the original. This trojanized version of PuTTY maintains a user interface and function seemingly similar to the original. One difference is the binary was compiled with a different version of Microsoft Visual C++ than PuTTY traditionally has been, and results in a slightly altered user interface. Also, the “About” button reveals altered information, being listed as “Unidentified build, Nov 29 2013 21:41:02.” Given that presumable compile time, that is only a couple of months after the release of PuTTY v0.63, which labels itself as “Release 0.63” under “About.”

When an SSH session is initiated, the credentials are harvested and sent in the same format used in the StealZilla campaign, except with SSH in place of FTP for the protocol.

“ssh://<username>:<password>@<IP address or domain>:<port>”

This string is then Base64 encoded and appended to the URI before the HTTP GET request is sent. This is the only malicious network traffic witnessed from this binary

It should be noted that Windows actually has a perfectly good native command line utility for computing file hashes: certutil -hashfile somefile SHA1 Algorithm could also be MD5, SHA256 or SHA512.