U.S. enterprises in path of data-hijacking Sazoora campaign, firm finds

Share this article:

Researchers have detected a new variant of Sazoora malware, a data-hijacking trojan that is currently targeting U.S. users as part of an international campaign.

On Tuesday, Aviv Raff, CTO of Seculert, an Israel-based advanced threat detection firm, revealed on the company's blog that more than 1,800 machines in the U.S. have recently been infected with the latest version of Sazoora.

Between late September and this past Sunday, the malware struck around 23,000 machines in total throughout several countries, with the majority of cases concentrated in Austria, Switzerland, Belgium and the U.S., Raff wrote.

Back in May, security firm ESET blogged about an older version of Sazoora that was delivered to users in Slovakia via a tax return spam hoax. At the time, Sazoora.A was described as an “ordinary credentials-stealing trojan” that used HTML injects to collect data from users' Internet Explorer, Firefox and Chrome browsers.

Now, Raff has noted a number of tricks the malware has picked up to skirt detection and become more pervasive in its data-hijacking tactics.

In a Tuesday follow up interview with SCMagazine.com, Raff explained that Sazoora.B lies dormant on victims' machines for 15 minutes before communicating with its command-and-control server. And before the Sazoora variant sends stolen data to its control hub, the control server must authenticate itself, Raff said.

“They've made some changes which made it less detectable by traditional security solutions [as well as] harder to hijack the botnet,” Raff said. “Before the command-and-control server starts [receiving] data, it's verified by some sort of digital signature.”

The new malware variant also uses form-grabbing capabilities, so that the content of any online form – whether email or otherwise – can be purloined by hackers, Raff added.

“We see it targeting mostly enterprises, so it tends to attack [with the goal] of extracting data from those specific enterprises,” he said.

Seculert has yet to identify the campaign's attack vector, but since Sazoora.A used phishing emails to target users, the new variant is likely using the same tactics, Raff said.

He suggested that enterprises implement cloud-based sandbox technologies capable of detecting the advanced threat.
Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.