Trojan Targets U.S. Users

Thursday, October 24, 2013 @ 05:10 PM gHale

There is a data-hijacking Trojan targeting U.S. users as part of an international campaign.

More than 1,800 machines in the U.S. just suffered infection with the latest version of Sazoora, said Aviv Raff, CTO of Seculert, an Israel-based advanced threat detection firm on the company’s blog.

Malware Infects Atomic Agency
Colleges: High Rate of Infection
Old Trojan Remains Effective
Exploit Kit Without an Exploit

Between late September and last Sunday, the malware struck around 23,000 machines throughout several countries, with the majority of cases concentrated in Austria, Switzerland, Belgium and the U.S., Raff said.

Last May, security firm ESET found an older version of Sazoora that went out to users in Slovakia via a tax return spam scam. At the time, Sazoora.A was an “ordinary credentials-stealing Trojan” that used HTML injects to collect data from users’ Internet Explorer, Firefox and Chrome browsers.

Now, Raff has noted upgrades the malware picked up to avoid detection and become more pervasive in its data-hijacking tactics.

Raff said Sazoora.B lies dormant on victims’ machines for 15 minutes before communicating with its command-and-control server. And before the Sazoora variant sends stolen data to its control hub, the control server must authenticate itself, Raff said.

He said the developers made changes that make it less detectable by traditional security solutions. The new malware variant also uses form-grabbing capabilities, so the content of any online form so hackers can easily steal the data.

Seculert has yet to identify the campaign’s attack vector, but since Sazoora.A used phishing emails to target users, the new variant is likely using the same tactics, Raff said.

Leave a Reply

You must be logged in to post a comment.