It appears that information theft has taken a new form: we’ve found a malware that steals image files from all drives of an affected system and then sends them to a remote FTP server.
Detected as TSPY_PIXSTEAL.A, this particular malware opens a hidden command line and copies all .JPG, .JPEG, and .DMP files. Both .JPG and .JPEG files pertain to file formats commonly used for images, while .DMP files are memory dump files that contain information on why a particular system has stopped unexpectedly.
The images below show that TSPY_PIXSTEAL.A copies the files from drives C, D, and E of the affected system into it’s C:\ drive.
Once done, it connects to an FTP server where it sends the first 20,000 files to the server. Though it appears tedious, the potential gain for cybercriminals should they be successful in stealing information is high. Information theft routines have been mostly limited to information that are in text form, thus this malware poses a whole new different risk for users. Users typically rely on photos for storing information, both personal and work-related, so the risk of information leakage is very high. Collected photos can be used for identity theft, blackmail, or can even be used in future targeted attacks.