Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    We recently discovered a Trojan that harvested documents on affected systems and uploaded them to the file hosting site, This post will discuss more of our findings on the said attack.

    In order to infect users, email disguised as a shipment notification from Fedex were mass-mailed to target victims.

    This email contains a downloader Trojan which installs TSPY_SPCESEND.A.” This downloader also installs other malicious executables on affected systems including FAKEAV variants from the BestAV affiliate network and FakeHDD variants from the Yamba network. These were observed to be downloaded from compromised, legitimate websites.

    Furthermore, this downloader Trojan also shares the same C&C with the TSPY_SPCESEND.A. This strongly suggests that the document-stealing sendspace Trojan is pushed by cybercriminals who are also involved in the Pay-Per-Sell (PPS) underground business.

    Command and Control Server

    After the malware uploads a .ZIP archive containing the victim’s documents to sendspace, it sends the sendspace download link along with a unique ID, the password for the .ZIP archive and the victim’s IP address to the command and control (C&C) server.

    As of this writing, we have seen at least three C&C servers used by the malware: {BLOCKED}, {BLOCKED}, and {BLOCKED} . These three domains point to the IP addresses and These IPs, along with a number of IPs in the same range, have records of hosting malicious files since July 2011. These malicious files included variants of bots such as BFBot (Palevo), NgrBot, and IRCBot.

    Digging deeper into the directory structure of the C&C server shows an “open directory” that contains a log file that records this information.

    There are two logs files that contain the same data: log.txt and serialse.txt. The only difference is that serialse.txt is formatted for automated, programmatic parsing (it appears to be in JSON format). The contents of the log file contain the following information about the victims and the uploaded data:

    We processed the log file and found that there have been 18,644 unique victims (based on a victim ID assigned by the malware) with 21,929 unique IP addresses (spanning over 150 countries) and 19,695 unique sendspace URLs generated.

    Country Victims (based on IP address)
    United States 13,939
    United Kingdom 1,877
    India 669
    Canada 619
    Australia 568
    Spain 391
    China 304
    Mexico 292
    Turkey 206
    Colombia 189
    Germany 178
    United Arab Emirates 139
    South Africa 134
    France 121
    The Netherlands 120

    Some of the victims have been identified by looking up the IP addresses in the WhoIs databases of the Regional Internet Registries. While the majority consists of IP addresses in the ranges of ISPs (i.e. the subscribers of residential and commercial ISP services) we were able to identify several government, academic and corporate networks.

    Trend Micro and Sendspace Efforts

    We contacted sendspace upon discovering the attack. We assisted them by sharing our findings in order for them to deploy proper mitigation measures.

    At the time the attack was reported, sendspace discovered and removed more than 75,000 uploaded malicious archives from their server. Based on the upload logs, the first archive was uploaded on December 25, 2011, which may indicate the start of the malicious campaign.

    As a result of our collaboration with sendspace, they are currently monitoring their servers through an automated job that blocks archives uploaded by the sendspace Trojan every few minutes. This effectively removes innocent users’ stolen documents from their server, therefore preventing the perpetrators behind this attack from retrieving stolen data.

    Trend Micro is pleased to assist sendspace in mitigating this abuse to their service. Nevertheless, this is probably not the last time similar attacks will take place. As always, Trend Micro is willing to assist in any effort that will make the Internet a safer place for everyone.

    Hat tip to Senior Threat Researcher Nart Villeneuve for additional research. 

    We would like to thank Martin Amps for assisting with data collection from Sendspace.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice