The Kryptik trojan was created to obtain information on an infected host’s FTP servers. It queries the Windows registry for the .ini or .dat file paths. It also queries registry subkeys for the actual host, username, and password related to the specific FTP client application. Kryptik searches the registry, querying for both ftpIniName and InstallDir that hold the wcx_ftp.ini file. The trojan can recover many common FTP clients, email clients, file browsers, and file manager programs. Kryptik also can update itself and remotely download new versions.
- December 2015: Kryptik trojan was found on the network of the Ukrainian power companies targeted in a cyberattack. (Fortinet)
- Technical details are provided by Fortinet, here.