Hosting Site Stores Stolen Files

Wednesday, February 15, 2012 @ 04:02 PM gHale

There is a smart piece of malware programmed to steal documents from the infected computer and upload them to the hosting site.

Sendspace saw use before to store stolen data because the service allowed crooks to “send, receive, track and share” big files, but the process never underwent automation from malware, Trend Micro researchers said.

New Malware in New Botnet
Botnet Taken Down, then Resurfaces”
Malware with Customer Support
New Software Cuts Costs, Risk

The infection begins with an executable file called Fedex_Invoice.exe, identified as TROJ_DOFOIL.GE, the file’s name hinting that it may spread with the use of a fake “FedEx failed delivery” spam campaign.

Once the file executes, it downloads and executes TSPY_SPCESEND.A, a Trojan that searches the local drive for Word and Excel documents, collecting them in a password-protected archive placed in the user’s temporary folder.

After it creates the archive, it uploads to Sendspace, its download link transmits to the malware’s command and control server. This way the crooks don’t have to store all the files on the C&C, instead they access them from the file hosting service.

“We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” said Trend Micro Solutions Evangelist Ivan Macalintal.

This discovery is bothersome because it means information theft and exfiltration are not specific only for targeted attacks, but they’re present in mass campaigns as well.

This is a perfect time for users to check their personal documents, especially if they’re stored on company computers and make sure all the sensitive files are in a safe place.

Leave a Reply

You must be logged in to post a comment.