Detecting Data Exfiltration Attempts of TSPY_SPCESEND.A

 

Recently, a malware was seen in the wild which grabbed Microsoft Word and Excel files present on the infected system and uploaded them to a free file sharing website sendspace.com.

File sharing websites were previously and are still involved in malware drive-by attempts but using them as a data exfiltration channel was seen for the first time. As per TrendMicro’s analysis, malware infection campaign started with spam emails with malicious attachment. This attachment after execution downloaded new malware on the system. Analysis revealed that this new malware then searched for all MS word and Excel documents and zipped them with randomly generated password and later uploaded it to sendspace.com. Once the files were uploaded on the sendspace, success notification with victim and password information was submitted on C&C servers.

TrendMicro has detected this new malware as TSPY_SPCESEND.A. However, both data exfiltration as well as success notification attempts of this malware can be detected on network using below SNORT signatures.

1
2
3
alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"Potential Data Exfiltration attempt by trojan tspy_spcesend.A"; flow:established,to_server; content:"POST"; http_method; content:"/processupload.html"; http_uri; content:"sendspace.com"; http_header; content:"100-continue"; http_header; flowbits:set, dataExfil.success; reference:url, <a href="http://blog.trendmicro.com/trojan-abuses-sendspace-a-closer-look/">blog.trendmicro.com/trojan-abuses-sendspace-a-closer-look/; classtype:trojan-activity; sid:1000020; rev:1;)

alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"Data Exfiltration attempt success notification by trojan tspy_spcesend.A"; flowbits: isset, dataExfil.success; flow:established,to_server; content:"POST"; http_method; content:"/send/log.php"; http_uri;  reference:url, <a href="http://blog.trendmicro.com/trojan-abuses-sendspace-a-closer-look/">blog.trendmicro.com/trojan-abuses-sendspace-a-closer-look/; classtype:trojan-activity; sid:1000021; rev:1;)

List of C&C servers is listed below:

  • ocean2372721.ru
  • chart337584.ru
  • united28889.ru
  • www.south78483825.ru

Stay Safe!

Rating 3.50 out of 5

Leave a Reply

This entry was posted on Saturday, February 11th, 2012 at 12:13 pm and is filed under Malware analysis, Snort Signature. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes