Malware steals victim's document files(MS word,Excel) from the infected system and upload them to a file hosting website sendspace.com , warned by Trend Micro researchers. sendspace is file hosting websites that allows to Send, Receive, Track & Share Your Big File.
In past, hackers used Sendspace for rounding up and uploading stolen data. This is first time, malware uploads stolen documents to a file hosting site.
A malicious file Fedex_Invoice.exe start the infection which is detect as TROJ_DOFOIL.GE by Trend Micro. The file name of the malware file suggest that it is being used for a spam campaign, specifically one that uses messages disguised as a FedEx shipment notification.
TROJ_DOFOIL.GE downloads and executes another malicious file TSPY_SPCESEND.A. This Trojan searches the local drive of an affected system for MS Word and Excel files. The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder.
After creating the archive, TSPY_SPCESEND.A upload it to Sendspace.com. Once the upload is done, the malware retrieves the Sendspace download link, and then sends the link to the C&C server, along with the generated password for the archive.
