Skip to main content

Intelligence Brief: Versions of FireZilla May Be Compromised

January 30, 2014

Recently, FishNet Security’s gTIC team has discovered that versions of FileZilla FTP client (versions 3.5.3 and 3.7.3) may be compromised. Original information and posting was performed by antivirus and security organization Avast. The commonly used FTP client has been found on multiple incredulous download sites to contain “additional” functionality that is not part of the valid application.

After individuals have downloaded the malicious version, the identification that the application is not valid is not easily identifiable. The authors of the malicious application operate an installer that utilizes a nearly identical visual representation of the official application. Avast does identify that the NullSoft installer used by the official application is v2.45-Unicode, while the malicious application utilizes v2.46.3-Unicode. Most individuals will not notice this difference or that of the “About” information that is presented after install.

As stated by Avast:

“The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.”

Additionally, since that malicious application performs the same functionality as the valid application, it is even more difficult for users to spot that they have a malicious application. Avast researchers identified code within the installed application signaling an information stealer function has been added that is able to collect and transmit FTP connection information utilized by the user. The information being collected is transmitted quickly and quietly one time via an ongoing FTP connection.

Avast posted the following network traffic that was identified when a malicious installation of FileZilla v3.7.3 was utilized:


The outbound communications were transmitted to IP As of this report, this IP has not been identified on any IP blacklists but has been identified in connection with domains:, and Each of these domains is registered through, which has historically been known to be associated with various nefarious activities.

File information, provided by Avast, for the installer and created executables identifies that AV vendors are beginning to identify the malicious files, but many are still not up to date on these files.

Malicious Installer v3.5.3:
SHA256: 595D954C7CE574337C97A0801E779BC3DCA94FC92AFAE8F483DCDD1A053C5C24
VirusTotal Link (12/50 Detect):

Malicious FileZilla.exe v3.5.3
SHA256: 525E9ED135C1435772A774D7AD7168CECCD225E354118E621482DB61174F6734
VirusTotal Link (18/50 Detect):

Malicious Installer v3.7.3
SHA256: B9A12F9B6827144D84E65EF2BA454D77CB423C5E136F44BC8D3163D93B97F11F
VirusTotal Link (16/50 Detect):

Malicious FileZilla.exe v3.7.3
SHA256: 2451599C03B136C1848F538184F0F266973B65AFC8DD25F272A7E6B0555B657A

VirusTotal Link (18/50 Detect):

To help protect your environment, FishNet Security recommends that organizations review their firewall configurations and policies surrounding FTP communications. Additionally, many organizations provide known malicious IP/URL blacklists that may be utilized within firewall and IDS/IPS solutions. Current FishNet Security MSS clients have access to IP/URL blacklists through the gTIC page within the MSS client portal, to help in identifying malicious activity. IPs identified within this report should be included in any firewall and IPS/IDS solution blocking rules.

Further steps include reviewing policies and procedures around the installation of applications on corporate devices to prevent unnecessary and potentially other malicious applications from being installed. As with any download and installation of software, make sure that you utilize an official source of the application.

Additional information may be found on Avast’s blog:

Related Blogs

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

February 07, 2018

Intelligence Bulletin – When Cryptomining Attacks

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers....

See Details

March 22, 2018

Intelligence Bulletin – MinionGhost Reemerges

At approximately 9:30am EDT on 20 March 2018, hacktivist collective, MinionGhost, announced planned cyber attacks against unspecified Asian entities. ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

August 24, 2017

Enterprise Incident Management Brief

Learn how Optiv’s workshop helps security leaders evolve their technical incident response practices to broad scope enterprise incident management.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.