A Trojan uses Sendspace to store stolen documents

Introduction

In this article, we analyse a blog post from antivirus vendor Trend Micro (refer to the end of the article for exact references) reporting the emergence of a new Trojan able to steal documents on an infected system and to automatically store them on the Sendspace file hosting service. Even if the blog post is a bit old (February 2012), it is nevertheless interesting. Indeed, it was quite common to see hackers using file hosting services to disclose exfiltrated data, but to our knowledge, it is the first time this process is automated within a piece of malware.

Finally, this article gives us the opportunity to provide recommendations on the use of online storage services in a corporate environment.

Attack sequence
The system infection process and the information theft takes place according to the following steps:

1. The victim first receives a fake email, disguised as a FedEx shipment notification. The message contains an attachment supposed to be the invoice related to the service. In the attack case reported by Trend Micro, the file was named "Fedex_Invoice.exe".
2. When this attached executable is launched by the user, it downloads and installs more malware on the system: fake antivirus, adware, and of course the information stealing Trojan which is the focus of the present article. This Trojan is detected by Trend Micro antivirus as "TSPY_SPCESEND.A".
3. The TSPY_SPCESEND.A Trojan is then executed and immediately searches the system’s hard drive for Word and Excel documents.
4. It gathers these documents and compresses them in one unique ZIP archive which name is randomly chosen. The archive is first stored in the user’s temporary folder and protected with a randomly chosen password.
5. The file is then uploaded on the Sendspace file hosting service. The download link, generated by Sendspace, is retrieved by the Trojan code.
6. Finally, the malicious code sends the following data to its Command and Control (C&C) server:
   • An identifier: a unique number assigned by the malware to uniquely identify the victim,
   • The Sendspace download link pointing to the ZIP archive (Sendspace links look like www.sendspace.com/file/xxxxxx),
   • The password required to decrypt (unlock) the ZIP file,
   • The IP address of the victim.

Consequences of the spam campaign and Sendspace reaction

Trend Micro analyzed the log files generated by the Trojan on the C&C server and found that the infection had affected 18,644 victims, an estimation based on the unique victim identifiers found in these logs. This is actually a small-scaled attack compared to infection carried out by other malwares using a mass mail distribution mechanism. We should note however that the infection, even if rather modest, spread over more than 150 countries and affected among others, governments, academic and corporate networks. The first ZIP archive was uploaded on Sendspace on December 25, 2011, which probably indicates the beginning of the spam campaign.

Sendspace has worked with Trend Micro and, following the investigation, more than 75,000 malicious archives were removed from their servers. In addition, the file hosting service has set up an automated monitoring process which executes every few minutes and removes the archives uploaded by the malware, thus preventing cyber criminals behind this operation to retrieve these stolen data.

Evolution and Trends

This is the first time we identify, in the context of our daily technology watch, a malware automatically using a file hosting service to store data stolen from infected computers. These online hosting services, sometimes referred as “one-click hosters”, are yet another clever way for cybercriminals to store data, because they are free and because they avoid setting up dedicated servers for the storage of large amounts of data.

Although the biggest one-click hoster (MegaUpload) was shut down earlier this year by U.S. authorities, we believe that the number of malwares using these hosting services could grow rather quickly. In fact, there are plenty of Sendspace-like hosters on the Internet (e.g. RapidShare, 4shared, MediaFire, Jumbofiles, Deposittfiles, Fileden etc.), and the use of such hosters by a malware is a simple and convenient way to exfiltrate data (no authentication required, no need for a particular API, use of the HTTP protocol …). Thus, the automatic storage of stolen data in such public clouds could become a trend among malware in the coming months/years.

Conclusion, recommendations

It is rather common in the context of targeted attacks or website compromised by “hacktivist” groups to observe that stolen data are being uploaded on one-click hosting websites. But today, the most serious concern lies in the fact that malwares are able to automate this task, and particularly malwares that are disseminated via massive spam campaigns. We therefore estimate that it is important to define strict security policies regarding the access to public file hosting services from a corporate network. Simply blocking access to such services is, in our opinion, an efficient way to prevent many data exfiltration incidents.

For more information:

• Malware Uses Sendspace to Store Stolen Documents (Trend Micro)
• Trojan Abuses Sendspace: A Closer Look (Trend Micro)