Security researchers have spotted a new variant of the Sazoora data-theft Trojan employing nifty tricks to avoid security sandboxes.
According to Seculert CTO Aviv Raff, the malware has been fitted with packing and technical changes aimed at defeating on-premises sandboxes.
“Instead of immediately launching like [the first version of the Trojan], Sazoora.B waits for 15 minutes before becoming active. This dormant phase makes it undetectable,” Raff warned in a blog post.
Another significant difference between the two malware variants is the fact that Sazoora.B sends a message to its command and control server (C&C) before it begins sending its stolen data. Raff said the malware requires the C&C to authenticate itself via a signed signature. “This verifies that the C&C is owned by the attackers, preventing other cybercriminals from hijacking their botnet,” he explained.
Over the last month, Seculert has tracked ore than 23,000 of infections of this new malware in Austria, Switzerland, Belgium, and the United States.