We’ve recently encountered malware that grabs MS Word and Excel files from users’ infected systems and then uploads them to the file hosting site sendspace.com. Sendspace is a file hosting website that offers file hosting to enable users to “send, receive, track and share your big files.”
Sendspace was recently used for dropping stolen data but wasn’t done automatically by malware. As reported late last year, hackers used Sendspace for rounding up and uploading stolen data.
However, this is the first time we’re seeing malware being used to upload stolen data to the file hosting and transfer site.
In this attack, the infection starts off with a malicious file, Fedex_Invoice.exe, detected as TROJ_DOFOIL.GE. The file name used for this particular malware suggests that it is being used for a spam campaign, specifically one that uses messages disguised as a FedEx shipment notification. We are currently trying to find a sample of the mentioned spammed message.
Once executed, TROJ_DOFOIL.GE downloads and executes TSPY_SPCESEND.A.
TSPY_SPCESEND.A is a “grab and go” Trojan that searches the local drive of an affected system for MS Word and Excel files. The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder. Here’s an example of an archive of collected documents:
After creating the archive, TSPY_SPCESEND.A sends it to Sendspace.com:
Once the upload is done, the malware retrieves the Sendspace download link, and then sends the link to the C&C server, along with the generated password for the archive:
Here is a screenshot of the Sendspace page leading to the archive of collected documents:
Storing Exfiltrated Data to External File Storage Infrastructures As a New Trend
Malware utilizing free online services are definitely not unheard of. Utilizing a public file hosting site is yet another clever way for cybercriminals to store stolen data as they do not need to set up a server that will store large amount of data.
Trend Micro Solutions Evangelist Ivan Macalintal shared that this technique of posting stolen/exfiltrated data to ‘extended networks’ or external file storage infrastructures can fast become a trend with the criminals. “We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” he explained.
In addition, this highlights a serious concern for the security industry and users alike. Document theft and exfiltration are now not only seen in targeted attacks, but in mass campaigns as well.
Trend Micro Smart Protection Network™ protects users from this threat by blocking the malicious files, and the C&C URL. We will update this entry once we’ve gained more information about the related spammed messages.