Enterprise Intrusion Analysis, Part One

Responding to a Brute Force SSH Attack

Data Recovery on Linux and <i>ext3</i>

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

WiMax: Just Another Security Challenge?

Time to Squish SQL Injection

Lazy Workers May Be Deemed Hackers

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

The Scale of Security

Hacker-Tool Law Still Does Little

News, Infocus, Columns, Vulnerabilities, Bugtraq ...

Vulnerability Summary for the Week of January 23, 2012

"Anonymous" DDoS Activity

Vulnerability Summary for the Week of January 16, 2012

Vulnerability Summary for the Week of January 9, 2012

Microsoft Updates for Multiple Vulnerabilities

Vulnerability Summary for the Week of January 2, 2012

Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack

Vulnerability Summary for the Week of December 26, 2011

Vulnerability Summary for the Week of December 19, 2011

Vulnerability Summary for the Week of December 12, 2011

We’ve recently encountered malware that grabs MS Word and Excel files from users’ infected systems and then uploads them to the file hosting site sendspace.com. Sendspace is a file hosting website that offers file hosting to enable users to “send, receive, track and share your big files.”

Sendspace was recently used for dropping stolen data but wasn’t done automatically by malware. As reported late last year, hackers used Sendspace for rounding up and uploading stolen data.

However, this is the first time we’re seeing malware being used to upload stolen data to the file hosting and transfer site.

In this attack, the infection starts off with a malicious file, Fedex_Invoice.exe, detected as TROJ_DOFOIL.GE. The file name used for this particular malware suggests that it is being used for a spam campaign, specifically one that uses messages disguised as a FedEx shipment notification. We are currently trying to find a sample of the mentioned spammed message.

Once executed, TROJ_DOFOIL.GE downloads and executes  TSPY_SPCESEND.A.

TSPY_SPCESEND.A is a “grab and go” Trojan that searches the local drive of an affected system for MS Word and Excel files. The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder. Here’s an example of an archive of collected documents:

After creating the archive, TSPY_SPCESEND.A sends it to Sendspace.com:

Once the upload is done, the malware retrieves the Sendspace download link, and then sends the link to the C&C server, along with the generated password for the archive:

Here is a screenshot of the Sendspace page leading to the archive of collected documents:

Storing Exfiltrated Data to External File Storage Infrastructures As a New Trend

Malware utilizing free online services are definitely not unheard of. Utilizing a public file hosting site is yet another clever way for cybercriminals to store stolen data as they do not need to set up a server that will store large amount of data.

Trend Micro Solutions Evangelist Ivan Macalintal shared that this technique of posting stolen/exfiltrated data to ‘extended networks’ or external file storage infrastructures can fast become a trend with the criminals. “We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” he explained.

In addition, this highlights a serious concern for the security industry and users alike. Document theft and exfiltration are now not only seen in targeted attacks, but in mass campaigns as well.

Trend Micro Smart Protection Network™  protects users from this threat by blocking the malicious files, and the C&C URL. We will update this entry once we’ve gained more information about the related spammed messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Uses Sendspace to Store Stolen Documents