Threat Actors Abuse FTP to Execute Malicious Scripts
I realize that you may be aware of ftp.exe's usage in data exfiltration, but let's discuss its capability for command execution.
Their attack chain often starts with spear-phishing emails that have malicious attachments or links, which allows them to achieve initial access to the target system. When the attachment is opened or when the link is clicked, the malware payload runs, usually through the exploitation of malicious documents or shortcut files. Persistence is attained by creating registry keys or employing Windows Management Instrumentation (WMI) event subscriptions, and several methods are used to privilege-escalate on the compromised system.
To avoid detection, Mustang Panda uses advanced techniques like utilizing legitimate applications to sideload malware and encrypting their communications. They harvest credentials with custom batch scripts and conduct reconnaissance on the infected system to identify the network and other systems. With stolen credentials or other means, they laterally move within the network, harvesting sensitive information from infected systems. Lastly, the gathered data is exfiltrated through different means, such as encryption and relaying to their command-and-control (C2) servers.
Cado Security Labs has recently published insights on malicious operations attributed to Mustang Panda, which they call Horned Werewolf. In this operation, the attacker employed a clever move by exploiting ftp.exe to run an FTP script that was embedded in a masqueraded PDF file: C:\Windows\System32\ftp.exe -s:"แบบตอบรับ.pdf"".
Nonetheless, when you're hunting for ftp.exe runs with the -s parameter, you'll probably find a lot of false positives. That's fine for threat hunting still, but it's important to turn your attention to PDF and other file types that are not typical for holding commands or scripts.
In spite of the ingenuity of the bad guys, the process of installation is still quite noisy since it entails activities such as dropping an executable file into C:\ProgramData.