I have recently found an interesting post of Niranjan Jayanand, a researcher of McAfee and members of Facebook team and customer escalation team. The experts announced that his team has recently detected a Trojan that is able to steal every king of image files form a Windows PC, including a memory dump of the victim machine (.dmp files), and upload them to an FTP server.
The activities observed are much suspected, they portend that there is an ongoing attack for cyber espionage or a massive information theft operation by cyber crime . This could be just a first stages of the attacks in which information are collected for further and complex initiatives.
The stolen image files could be used for blackmailing the victims and demanding a ransom, it's nor first time, let's reminds what happened some months ago when nude pictures of celebrities were stolen.
This is not the unique use that I could suppose, images could be also used for other purposes, they could be related to reserved project or to document scans, their exposure could cause serious risks.
Let's think also to the possibility to use the images to create fake accounts to infiltrate social networks and gather information on specific targets rather than realize more sophisticated fraud schema Similar social engineering attacks have also hit high officials of government agencies in the past.
There is also another disturbing particular … why the attackers are collecting also .dmp files?
It is very likely that the attackers are interested to discover vulnerabilities in infected machines; the memory dump could contain useful information on programs in execution of the victim pc, data that could be used to adopt specific exploits in the attacks.
"They are often created when a program has an error in coding and crashes.
Gathering .dmp files could by a typo by the malware authors, who might have sought .bmp image files instead."
The file stolen are sent by the Trojan via FTP to the server with IP address 176.x.xxx.90 using following FTP credentials
• Username="wasitnew"
• password="qiw2e3r4t5y6."
The FTP doesn't respond since November 5th, maybe the authors are working to improve it or simply are rearranging the offensive. The post is closed with a mention to previous more sophisticated malware and the way the authors controlled them, for example hiding, using steganography methods, the command strings inside images sent to the agents.
"Since 2008 we have seen image files carrying embedded image files within. Malware authors sometimes hide their commands behind an image file using steganography."
Waiting for further interesting revelations … let's keep updated our defense systems.
