Few days back, TrendMicro spotted a Trojan that steal your documents and uploads them in sendspace.com. As part of the analysis, researchers found how the malware writers infect the victims.
In order to infect the users, CyberCrooks send an email disguised as a shipment notification from Fedex.
If the recipient download the attachment FedEx_Invoice.zip, it installs a downloader trojan called TSPY_SPCESEND.A. This downloader also installs other malicious executables on affected systems including FAKEAV variants from the BestAV affiliate network and FakeHDD variants from the Yamba network. These were observed to be downloaded from compromised, legitimate websites.
Furthermore, this downloader Trojan also shares the same C&C with the TSPY_SPCESEND.A. This strongly suggests that the document-stealing sendspace Trojan is pushed by cybercriminals who are also involved in the Pay-Per-Sell (PPS) underground business.
After analyzing the malware, researchers found that there have been 18,644 unique victims (based on a victim ID assigned by the malware) with 21,929 unique IP addresses (spanning over 150 countries) and 19,695 unique sendspace URLs generated. The large number of victims are from US,UK, India, Canada and Australia.
Researchers have contacted sendspace upon discovering the attack. Sendspace discovered and removed more than 75,000 uploaded malicious archives from their server. Based on the upload logs, the first archive was uploaded on December 25, 2011, which may indicate the start of the malicious campaign.
Sendspace is currently monitoring their servers through an automated job that blocks archives uploaded by the sendspace Trojan every few minutes.
 |
| Image Credits: TrendMicro |
In order to infect the users, CyberCrooks send an email disguised as a shipment notification from Fedex.
Spam mail intercepted by TrendMicro:
Subject: Your Package is available for pickup.No#8248
Attachments: FedEx_Invoice.zip(40KB)
FedEx notification,
Your package has been returned to the FedEx office.
The reason of the return is - Incorrect delivery address of the package.
Please print out the invoice copy attahced and collect the package at our office.
FedEx Express Services.
If the recipient download the attachment FedEx_Invoice.zip, it installs a downloader trojan called TSPY_SPCESEND.A. This downloader also installs other malicious executables on affected systems including FAKEAV variants from the BestAV affiliate network and FakeHDD variants from the Yamba network. These were observed to be downloaded from compromised, legitimate websites.
Furthermore, this downloader Trojan also shares the same C&C with the TSPY_SPCESEND.A. This strongly suggests that the document-stealing sendspace Trojan is pushed by cybercriminals who are also involved in the Pay-Per-Sell (PPS) underground business.
After analyzing the malware, researchers found that there have been 18,644 unique victims (based on a victim ID assigned by the malware) with 21,929 unique IP addresses (spanning over 150 countries) and 19,695 unique sendspace URLs generated. The large number of victims are from US,UK, India, Canada and Australia.
Researchers have contacted sendspace upon discovering the attack. Sendspace discovered and removed more than 75,000 uploaded malicious archives from their server. Based on the upload logs, the first archive was uploaded on December 25, 2011, which may indicate the start of the malicious campaign.
Sendspace is currently monitoring their servers through an automated job that blocks archives uploaded by the sendspace Trojan every few minutes.
![](https://pinterest.com/pin/create/bookmarklet/?media=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDME75x5bA9CkUJ6r74sjAzD6lZ66H3KqEZW9KyKQHsnEEohCzBgK6oDGkIfZvAQByPbkPyou8L8KPGARQABlDy7MlE95jphLl93WSybsQIiL0by8ngxDqjIIjLGxAIbwykI_5t3IDWglu/s450/More_on_sendspace_1.jpg&url=https://www.cysecurity.news/2012/02/shipment-notification-from-fedex-spam.html&description="shipment notification from Fedex" spam mail leads to doc-stealing Trojan){kind=link}