Threat Intelligence, Incident Response, Malware, TDR

U.S. enterprises in path of data-hijacking Sazoora campaign, firm finds

Researchers have detected a new variant of Sazoora malware, a data-hijacking trojan that is currently targeting U.S. users as part of an international campaign.

On Tuesday, Aviv Raff, CTO of Seculert, an Israel-based advanced threat detection firm, revealed on the company's blog that more than 1,800 machines in the U.S. have recently been infected with the latest version of Sazoora.

Between late September and this past Sunday, the malware struck around 23,000 machines in total throughout several countries, with the majority of cases concentrated in Austria, Switzerland, Belgium and the U.S., Raff wrote.

Back in May, security firm ESET blogged about an older version of Sazoora that was delivered to users in Slovakia via a tax return spam hoax. At the time, Sazoora.A was described as an “ordinary credentials-stealing trojan” that used HTML injects to collect data from users' Internet Explorer, Firefox and Chrome browsers.

Now, Raff has noted a number of tricks the malware has picked up to skirt detection and become more pervasive in its data-hijacking tactics.

In a Tuesday follow up interview with, Raff explained that Sazoora.B lies dormant on victims' machines for 15 minutes before communicating with its command-and-control server. And before the Sazoora variant sends stolen data to its control hub, the control server must authenticate itself, Raff said.

“They've made some changes which made it less detectable by traditional security solutions [as well as] harder to hijack the botnet,” Raff said. “Before the command-and-control server starts [receiving] data, it's verified by some sort of digital signature.”

The new malware variant also uses form-grabbing capabilities, so that the content of any online form – whether email or otherwise – can be purloined by hackers, Raff added.

“We see it targeting mostly enterprises, so it tends to attack [with the goal] of extracting data from those specific enterprises,” he said.

Seculert has yet to identify the campaign's attack vector, but since Sazoora.A used phishing emails to target users, the new variant is likely using the same tactics, Raff said.

He suggested that enterprises implement cloud-based sandbox technologies capable of detecting the advanced threat.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.