1. Home
  2. Software
  3. ftp

ftp

ftp is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[1][2]

ID: S0095
Associated Software: ftp.exe
Type: TOOL
Platforms: Linux, Windows, macOS
Version: 2.0
Created: 31 May 2017
Last Modified: 07 March 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

ftp may be used to exfiltrate data separate from the main command and control protocol.[1][2]
Enterprise T1105 Ingress Tool Transfer

ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.[1][2]
Enterprise T1570 Lateral Tool Transfer

ftp may be abused by adversaries to transfer tools or files between systems within a compromised environment.[1][2]

Groups That Use This Software

ID Name References
G0019 Naikon

[3]
G0049 OilRig

[4]
G0064 APT33

[5]
G0087 APT39

[6]
G0096 APT41

[7]

References

  1. Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022.
  2. N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022.
  3. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  4. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  1. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  2. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  3. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.