New variants of the PE_EXPIRO family are out and while they do contain file infectors, but they also have information theft files.
The attacks in which EXPIRO malware starts with users ending up convinced to visit websites that host an exploit kit, said researchers at Trend Micro.
The exploit kit leverages Java and PDF vulnerabilities to push the main file infector (PE_EXPIRO.JX-O).
Once the infector installs on a computer, it infects the .exe files found in all the available drives.
Then, it starts stealing system and user information, including the Windows ID product, user login credentials, and FTP credentials for open source client FileZilla. The stolen information then uploads to command and control servers.
So far, 70 percent of the infections have been in the United States. Researchers at Trend Micro said the cybercriminals might be trying to steal information from organizations.
The FTP credentials can also see use in compromising websites.
“The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools,” researchers said.