U.S. enterprises in path of data-hijacking Sazoora campaign, firm finds

Share this article:

Researchers have detected a new variant of Sazoora malware, a data-hijacking trojan that is currently targeting U.S. users as part of an international campaign.

On Tuesday, Aviv Raff, CTO of Seculert, an Israel-based advanced threat detection firm, revealed on the company's blog that more than 1,800 machines in the U.S. have recently been infected with the latest version of Sazoora.

Between late September and this past Sunday, the malware struck around 23,000 machines in total throughout several countries, with the majority of cases concentrated in Austria, Switzerland, Belgium and the U.S., Raff wrote.

Back in May, security firm ESET blogged about an older version of Sazoora that was delivered to users in Slovakia via a tax return spam hoax. At the time, Sazoora.A was described as an “ordinary credentials-stealing trojan” that used HTML injects to collect data from users' Internet Explorer, Firefox and Chrome browsers.

Now, Raff has noted a number of tricks the malware has picked up to skirt detection and become more pervasive in its data-hijacking tactics.

In a Tuesday follow up interview with SCMagazine.com, Raff explained that Sazoora.B lies dormant on victims' machines for 15 minutes before communicating with its command-and-control server. And before the Sazoora variant sends stolen data to its control hub, the control server must authenticate itself, Raff said.

“They've made some changes which made it less detectable by traditional security solutions [as well as] harder to hijack the botnet,” Raff said. “Before the command-and-control server starts [receiving] data, it's verified by some sort of digital signature.”

The new malware variant also uses form-grabbing capabilities, so that the content of any online form – whether email or otherwise – can be purloined by hackers, Raff added.

“We see it targeting mostly enterprises, so it tends to attack [with the goal] of extracting data from those specific enterprises,” he said.

Seculert has yet to identify the campaign's attack vector, but since Sazoora.A used phishing emails to target users, the new variant is likely using the same tactics, Raff said.

He suggested that enterprises implement cloud-based sandbox technologies capable of detecting the advanced threat.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.