Upwards of 20,000 stolen archives have been uploaded to a third party file-sharing site from hosts infected with a new threat called Infostealer.Offsupload. The following heatmap indicates the U.S. is the primary target of infection, however, only a few countries worldwide have managed to avoid the affect of this threat.
Infostealer.Offsupload is being used as part of a blended threat. The initial stage of the attack is an email purporting to come from FedEx with a malicious attachment: “FedEx_Invoice.exe”.
Once executed, this Trojan (detected as Trojan.Gen.2) contacts a command-and-control (C&C) server in order to download and execute further malicious files. At the time of analysis the files downloaded were Trojan.FakeAV and Infostealer.Offsupload.
Infostealer.Offsupload will search the computer for passwords to Firefox, Thunderbird, and Opera. It also searches for Word and Excel files (files with extensions .doc, .docx, .xls, or .xlsx). After these files are collected on the infected host they will be archived into a zip file, password protected, and then uploaded to sendspace.com. The URL to download and retrieve this stolen data along with the password to unlock the zip file is sent to the attacker. A log file was available for download from the command-and-control server whose contents can be seen below.
At the time of analysis 23,248 unique IP addresses (compromised hosts) have been logged, and 21,623 attempted uploads (stolen archives) were present in the exposed log file.
The advantage of using a third-party service such as sendspace.com is likely the improved reliability in terms of service uptime and the speeds in uploading the stolen data. A third-party service would also take care of storage requirements when exfiltrating large amounts of data.
This is a new kid on the block, recently highlighted by a security researcher at Trend Micro, and we will keep a close eye on any developments in the coming days and weeks.