New variants of file infectors of the PE_EXPIRO family have been spotted in the wild. The most interesting thing about these file infectors is that they don’t contain only file infection routines, but also information theft ones.
According to Trend Micro, the attacks in which EXPIRO malware has been spotted start with users being lured to websites that host an exploit kit.
The exploit kit leverages Java and PDF vulnerabilities to push the main file infector (PE_EXPIRO.JX-O).
Once the infector is installed on a computer, it infects the .exe files found in all the available drives.
Then, it starts stealing system and user information, including the Windows ID product, user login credentials, and FTP credentials for open source client FileZilla. The stolen information is uploaded to command and control servers.
Interestingly, 70% of the infections have been detected in the United States. Experts believe that the cybercriminals might be trying to steal information from organizations.
The FTP credentials can also be used to compromise websites.
“The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools,” experts noted.