A new breed of malware has taken data theft one step further – it now grabs document and spreadsheet files and uploads them to a cloud-based file hosting service.
Computer security firm Trend Micro said the new malware it recently encountered particularly sends the stolen files to Sendspace.com.
“Sendspace was recently used for dropping stolen data but wasn’t done automatically by malware. As reported late last year, hackers used Sendspace for rounding up and uploading stolen data… However, this is the first time we’re seeing malware being used to upload stolen data to the file hosting and transfer site,” it said.
In this attack, the infection starts with a malicious file, Fedex_Invoice.exe, detected as TROJ_DOFOIL.GE.
Trend Micro said the filename suggests the malware is used for a spam campaign using messages disguised as a FedEx shipment notification.
Once executed, TROJ_DOFOIL.GE downloads and executes
TSPY_SPCESEND.A, a “grab and go” Trojan that searches the local drive of an affected system for MS Word (document) and Excel (spreadsheet) files.
“The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder,” Trend Micro said.
After creating the archive, TSPY_SPCESEND.A sends it to Sendspace.com and the malware retrieves the Sendspace download link, and then sends the link to the command-and-control server, along with the generated password for the archive.
“Malware utilizing free online services are definitely not unheard of. Utilizing a public file hosting site is yet another clever way for cybercriminals to store stolen data as they do not need to set up a server that will store large amount of data,” Trend Micro said.
Possible new trend
It added such use of “extended networks” or external file storage infrastructures can fast become a trend with the criminals.
“We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” it said.
It added this may be a serious concern for the security industry and users alike.
“Document theft and exfiltration are now not only seen in targeted attacks, but in mass campaigns as well,” it said. — TJD, GMA News
Article source: http://ph.news.yahoo.com/kind-malware-steals-uploads-docs-cloud-060408348.html
View full post on National Cyber Security » Virus/Malware/Worms
