PixSteal-A Trojan Steals Images, Uploads to Iraqi FTP Server

A new Trojan has been identified that has the capability of stealing images from infected computers, setting the stage for anything from identity theft to blackmail.

A new Trojan has been identified that has the capability of stealing images from infected computers, setting the stage for anything from identity theft to blackmail.

PixSteal-A also pilfers .dmp, or Windows memory dump files that contain data on system crashes and sends all stolen data to a remote FTP server in Iraq, according to Sophos.

This isn’t the first malware to target non text-based files. ACAD/Medre.A surfaced in June and it was designed to steal blueprints and engineering documents designed on AutoCAD software.

“We suspect this malware is in its first stage of development for information theft, and we expect it to return as a more sophisticated attack,” wrote McAfee researcher Niranjan Jayanand.

In the meantime, the attackers could be harvesting a trove of image files that include anything from compromising photographs, to scanned sensitive documents containing personal information.

Users become infected via drive-by downloads from compromised or attacker-owned sites. It scans local and remote files for .jpg, .jpeg, and .dmp files. Sophos found a Google Talk memory dump file stored on the FTP server that could likely contain instant messaging conversations. Dmp files can also provide hints about system vulnerabilities.

“If I had to make a guess, I would think the above evidence suggests it is being used for espionage,” said Sophos’ Chester Wisniewski. “But we can’t be sure.”

Once the malware connects to the FTP server, it sends the first 20,000 files it finds to the server, Trend Micro said.

“Though it appears tedious, the potential gain for cybercriminals should they be successful in stealing information is high,” said Trend Micro researcher Raymart Paraiso. “Information theft routines have been mostly limited to information that are in text form, thus this malware poses a whole new different risk for users.”

Experts recommend a number of precautions, including blocking FTP transfers via corporate firewalls. This particular FTP server went dark on Monday, McAfee said.

“This malware can evolve with more sophisticated code and cause more harm,” McAfee’s Jayanand said. “Since 2008, we have seen image files carrying embedded image files within. Malware authors sometimes hide their commands behind an image file using steganography.”


  • Anonymous on

    This malware is not very complicated at all. I don't see why they are making it sound so sophisticated. Connecting unencrypted to an FTP server is not very advanced if you ask me.

  • Anonymous on

    Well the delivery method of the stolen files does not appear very sophisticated, perhaps they were referring to other aspects of it.

  • Anonymous on

    The sample is not doing anything sophisticated till date as u are seeing images loaded into FTP DEFEATING WINDOWS security systems/FW etc...once after getting images, hacker can do anything. You can simply understand this to be first stage, because as u said the FTP address etc were nt encrypted. WHY would attacker do so..HE may have planned to do something more after collecting image files. or ,dmp( for info on vulnerable systems). If this malware group would team up with another malware group, then definitely the consequence could be more,like dropping a ransomware, which produces porn pic of your own image collected and locking your screen ;-)

  • Anonymous on

    Is it possible that the trojan is now send to people by email? I received an email from a unknown person with an text-image containing my name...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.