Zeus variant hit Software-as-a-service applications

Discovered a Zeus variant that implements a web-crawling feature to hit Software-as-a-service applications to obtain access to proprietary data or code

This is the second news on Zeus malware in less than a week, previous one was related to a new variant using steganography to hide configuration file, this last discovery is related to a version even more sophisticated that implements a web-crawling feature.

We have been accustomed to associate the name of the feared Zeus banking trojan to the capability to target customers of financial institutions, nut this version appears different because it has been designed to hit Software-as-a-service (SaaS) applications to obtain access to proprietary data or code. Software-as-a-service is a software delivery model in which software and associated data are centrally hosted on a cloud architecture. SaaS has become a common delivery model for many business applications including Office & Messaging software, DBMS software, Development software, Virtualization and many others.

The SaaS Security firm vendor Adallom, detected a malware-based campaign against Salesforce.com users, the Zeus variant used implements the web crawling capabilities to grab sensitive business data from the CRM. The attacks originated from Salesforce employee’s home computer, this variant of Zeus trojan crawled the site and created a real-time copy of the user’s Salesforce.com instance that included all the company account data.

“We’ve been internally referring to this type of attack as “landmining”, since the attackers laid “landmines” on unmanaged devices used by employees to access company resources. The attackers, now bypassing traditional security measures, wait for the user to connect to *.my.salesforce.com in order to exfiltrate company data from the user’s Salesforce instance.” reported the official post issued mt Adallom.

Experts at Adallom discovered the campaign because noted approximately 2GB of data been downloaded to the victim’s computer in a few minutes, the malware authors exploited Zeus Web inject capabilities for the purpose of data harvesting and exfiltration.

“This is not an exploit of a Salesforce.com vulnerability; this Zeus attack takes advantage of the trust relationship that is legitimately established between the end-user and Salesforce.com once the user has authenticated.” Furthermore, while Zeus usually hijacks the user session and performs wire transactions, this variant crawled the site and created a real time copy of the user’s Salesforce.com instance. A copy of the temporary folder created (shown below) contained all the information from the company account.

The researchers noted another interesting detail, some of the Zeus parameters were hard-coded, and this and this suggests that discovered variant was used as a specially crafted tool in a larger attack. The alarming consideration is related to the possibility to replicate the attack scheme against any company using any SaaS application.

The investigation is still on going, security expert at Adallom Labs are working to identify responsible for the attacks and the infection vector the exploited to compromise end-user machines.

Pierluigi Paganini

(Security Affairs – Zeus trojan, Software-as-a-service applications)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.