Trend Micro researchers say that Sendspace was used on previous occasions to store stolen data because the service allowed crooks to “send, receive, track and share” big files, but the process was never done automatically by a malware.
The infection begins with an executable file called Fedex_Invoice.exe, identified as TROJ_DOFOIL.GE, the file’s name hinting that it may be spread with the use of a fake “FedEx failed delivery” spam campaign.
Once the file is executed, it downloads and executes TSPY_SPCESEND.A, a Trojan that searches the local drive for Word and Excel documents, collecting them in a password-protected archive placed in the user’s temporary folder.
After the archive is created, it’s uploaded to Sendspace, its download link being transmitted to the malware’s command and control server. This way the crooks don’t have to store all the files on the C&C, instead they access them from the file hosting service.
“We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” Trend Micro Solutions Evangelist Ivan Macalintal said.
This discovery is worrying because it means that information theft and exfiltration are not specific only for targeted attacks, but they’re present in mass campaigns as well.
This is a perfect time for users to check their personal documents, especially if they’re stored on company computers and make sure that all the sensitive files are stored in a safe place. Also, antivirus solutions should be checked to see if they’re up to date, as they can easily prevent such attacks.