Trojan scoops 20k archives in one week

A Trojan discovered this month has already stolen upwards of 20,000 archives, Symantec is warning.

The Trojan Infostealer.Offsupload has spread across the globe, including Australia, beginning with a booby-trapped fake invoice from FedEx which contains an executable file for Windows machines. The highest concentration of compromised PCs is in the US.

"Once executed, this Trojan (detected as Trojan.Gen.2) contacts a command-and-control (C&C) server in order to download and execute further malicious files. At the time of analysis the files downloaded were Trojan.FakeAV and Infostealer.Offsupload," Symantec security response manager Stephen Doherty.

Infostealer.Uploader, as the name suggests, seeks out passwords to Mozilla Firefox and Thunderbird installs and the Opera browser. It also searches for Word and Excel files, zips them and shoots them to a hosted file service, sendspace.com.

"After these files are collected on the infected host they will be archived into a zip file, password protected, and then uploaded to sendspace.com," Symantec explained.

"The URL to download and retrieve this stolen data along with the password to unlock the zip file is sent to the attacker."

Symantec's analysis of a log file obtained from the command and control server revealed there were 23,248 compromised hosts and 21'623 stolen archives, which would have occurred in a relatively short period of time after its discovery by Trend Micro on February 6.

Criminals were likely using a hosted service for superior reliability, Doherty speculated.

"The advantage of using a third-party service such as sendspace.com is likely the improved reliability in terms of service uptime and the speeds in uploading the stolen data. A third-party service would also take care of storage requirements when exfiltrating large amounts of data."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet