It has recently been discovered by researchers at Trend Micro that there is a piece of malicious software that automatically uploads stolen data cache to the SpendSpace file-sharing service for when it needs to be retrieved. Creators of malware often use file-hosting and sharing servers for that exact purpose. However, this marks the first time malware has been noticed doing so automatically, according to Trend Micro Threat Response Engineer Roland Dela Paz.
The site afflicted, SendSpace, accepts files and generates a link that can be shared between people, allowing the content to be downloaded from the files. This new malware has been specifically configured to send files, copy the download link and send it to a command-and-control server. In addition to that, the password needed to access the archive is also sent, according to Dela Paz.
It has also been discovered that SendSpace’s terms of service would prohibit the use of the site in that manner. According to a response about the malware from SendSpace, the company stated that it was “notified of this several days ago by Trend Micro themselves, and we’re working to find a solution for this.”
Services like SendSpace present a lot of advantages, albeit unintentionally, to cybercriminals says Rik Ferguson, Director of Security Research and Communication for the European branch of Micro Trend. Ferguson also added that even though cybercriminals use networks of proxy computers to mask their communication with a compromised computer, using a storage service adds another layer and stated, “It breaks in some ways the chain of evidence.”
Another problem is that authorities would be less likely to try and take down a legitimate file-hosting service than a brand new server set up by scanners. Services like SendSpace are also especially useful for things known as Advance Persistent Threat Attacks. These allow “cyberspies” to infiltrate an organization for an extended period of time.
There is also a better chance that compromised companies or sites will not consider outbound connections to a file-sharing service suspicious. This makes it exponentially less likely that the connection will be shut down. According to Ferguson, “Basically it’s criminals taking advantage of public infrastructure to appear less suspicious.”
Source: PC World – Malware Automates Storing of Data Haul on File-hosting Site SendSpace