Zeus variant hit Software-as-a-service applications

Pierluigi Paganini February 21, 2014

Discovered a Zeus variant that implements a web-crawling feature to hit Software-as-a-service applications to obtain access to proprietary data or code

This is the second news on Zeus malware in less than a week, previous one was related to a new variant using steganography to hide configuration file, this last discovery is related to a version even more sophisticated that implements a web-crawling feature.

We have been accustomed to associate the name of the feared Zeus banking trojan to the capability to target customers of financial institutions, nut this version appears  different because it has been designed to hit Software-as-a-service (SaaS) applications to obtain access to proprietary data or code. Software-as-a-service is a software delivery model in which software and associated data are centrally hosted on a cloud architecture. SaaS has become a common delivery model for many business applications including Office & Messaging software, DBMS software, Development software, Virtualization and many others.

The SaaS Security firm vendor Adallom, detected a malware-based campaign against Salesforce.com users, the Zeus variant used implements the web crawling capabilities to grab sensitive business data from the CRM. The attacks originated from Salesforce employee’s home computer, this variant of Zeus trojan crawled the site and created a real-time copy of the user’s Salesforce.com instance that included all the company account data.

“We’ve been internally referring to this type of attack as “landmining”, since the attackers laid “landmines” on unmanaged devices used by employees to access company resources. The attackers, now bypassing traditional security measures, wait for the user to connect to *.my.salesforce.com in order to exfiltrate company data from the user’s Salesforce instance.” reported the official post issued mt Adallom.

Experts at Adallom discovered the campaign because noted approximately 2GB of data been downloaded to the victim’s computer in a few minutes, the malware authors exploited Zeus Web inject capabilities  for the purpose of data harvesting and exfiltration.  
This is not an exploit of a Salesforce.com vulnerability; this Zeus attack takes advantage of the trust relationship that is legitimately established between the end-user and Salesforce.com once the user has authenticated.” Furthermore, while Zeus usually hijacks the user session and performs wire transactions, this variant crawled the site and created a real time copy of the user’s Salesforce.com instance. A copy of the temporary folder created (shown below) contained all the information from the company account. 

Zeus web crawler


The researchers noted another interesting detail, some of the Zeus parameters were hard-coded, and this and this suggests that discovered variant was used as a specially crafted tool in a larger attack. The alarming consideration is related to the possibility to replicate the attack scheme against any company using any SaaS application. 

The investigation is still on going, security  expert at Adallom Labs are working to identify responsible for the attacks and the infection vector the exploited to compromise end-user machines.

Pierluigi Paganini

(Security Affairs –  Zeus trojan, Software-as-a-service applications)

you might also like

leave a comment