This is the second news on Zeus malware in less than a week, previous one was related to a new variant using steganography to hide configuration file, this last discovery is related to a version even more sophisticated that implements a web-crawling feature.
We have been accustomed to associate the name of the feared Zeus banking trojan to the capability to target customers of financial institutions, nut this version appears different because it has been designed to hit Software-as-a-service (SaaS) applications to obtain access to proprietary data or code. Software-as-a-service is a software delivery model in which software and associated data are centrally hosted on a cloud architecture. SaaS has become a common delivery model for many business applications including Office & Messaging software, DBMS software, Development software, Virtualization and many others.
“We’ve been internally referring to this type of attack as “landmining”, since the attackers laid “landmines” on unmanaged devices used by employees to access company resources. The attackers, now bypassing traditional security measures, wait for the user to connect to *.my.salesforce.com in order to exfiltrate company data from the user’s Salesforce instance.” reported the official post issued mt Adallom.
“This is not an exploit of a Salesforce.com vulnerability; this Zeus attack takes advantage of the trust relationship that is legitimately established between the end-user and Salesforce.com once the user has authenticated.” Furthermore, while Zeus usually hijacks the user session and performs wire transactions, this variant crawled the site and created a real time copy of the user’s Salesforce.com instance. A copy of the temporary folder created (shown below) contained all the information from the company account.
The researchers noted another interesting detail, some of the Zeus parameters were hard-coded, and this and this suggests that discovered variant was used as a specially crafted tool in a larger attack. The alarming consideration is related to the possibility to replicate the attack scheme against any company using any SaaS application.
The investigation is still on going, security expert at Adallom Labs are working to identify responsible for the attacks and the infection vector the exploited to compromise end-user machines.
(Security Affairs – Zeus trojan, Software-as-a-service applications)