Security Experts:

New Zeus Variant Found Targeting Salesforce.com Accounts

Researchers from Adallom, a SaaS security company founded in 2012, say they recently discovered an unusual variant of the Zeus Trojan that targets Salesforce.com users.

Adallom describes the attack as technically unsophisticated, as it was simply a customized version of the popular Zeus banking Trojan, but potentially quite dangerous as it targets sensitive corporate data.

“Tailored company data exfiltration capability is what we believe makes this variant significant,” Adallom explained. “Zeus, which traditionally used to pilfer online banking credentials and transactions, as far as we know, this is the first time a Zeus variant in the wild has been found to target an enterprise SaaS application for the purpose of data exfiltration.”

Adallom refers to this type of attack as “landmining”, since the attackers targeted an employee’s unprotected home computer, essentially laying landmines, waiting for a user to connect to Salesforce.com in order to exfiltrate company data from the Salesforce.com instance.

“This Zeus attack is simply taking advantage of the trust relationship that exists between an end-user and the SaaS application once the user has authenticated,” the company explained. “Only once that trust relationship is legitimately established does the attack truly begin.”

Adallom said it was tipped off when it received an alert stemming from high activity behavior on Salesforce.com from a customer that appeared to be a single user performing hundreds of operations in short time.

The activity, a rapid run of “view” operations, triggered an alert by Adallom to its customer’s security operations team, notifying them of the suspicious activity.

According to Adallom, this type of alert is a typical insider threat alert, usually triggered by an employee trying to copy their list of accounts from their Salesforce.com account.

While looking into the situation, the client’s corporate security team engaged Adallom Labs to assist with the investigation.

“A quick analysis of the logs indicated that the crawling behavior didn’t originate from the employee’s work device,” Adallom explained. “We could see that the offending device was mostly used during weekends and nights and was a Windows XP machine running an old version of IE. Long story short: It turned out to be that user’s spouse’s computer which was being used from time to time (weekends and nights) to catch up on work.”

Further investigation revealed that the system had been infected with a Zeus variant configured to detect Salesforce sessions rather than online banking sessions.

“This is the first incident we’ve seen of this powerful, albeit antiquated, weapon turned against corporate SaaS accounts,” Adallom said. “While Zeus usually hijacks the user session and performs wire transactions, this variant simply crawled the entire site and created a real time copy of the company CRM.”

Because some of the parameters were hard coded into this particular Zeus variant, Adallom says this doesn’t appear to be a large-scale attack, but was probably used as a specially crafted tool as part of a larger attack.

“However, this same attack pattern could be easily replicated against any company using any SaaS application,” Adallom warned. “Even more disturbing is the fact that all existing Zeus variants in the wild can be fairly easily repurposed to steal information from SaaS applications, it’s just a matter of adding another webinject configuration pack.”

Other SaaS applications have been targeted in the past by key logging malware, including a different banking a banking Trojan modified to look for SAP GUI. Late last year, Rapid7 released a paper outlining how its Metasploit tool can be used to perform penetration tests on ERP (enterprise resource planning) systems. 

"As criminals get smarter about ERP systems, I have no doubt they'll use that to their advantage," Todd Beardsley, Metasploit Engineering Manager at Rapid7 said last year. "This is why we're trying to educate legit security practitioners; the existence of a Trojan that targets SAP directly says that at least someone in the criminal underground already knows a thing or two about SAP."

According to Dell SecureWorks, many banking Trojans are used for the same purposes, although not all banking trojans are created equal. A recent report on banking Trojans from Dell SecureWorks found that traditional banking websites were the focus of most of the cyber campaigns, but attackers also targeted different institutions including corporate finance and providers of corporate payroll services, stock trading, social networking, email services, mail delivery services, employment portals, entertainment and dating portals.

Adallom said it has not determined how the machines were infected and who was behind the attack.

“Since we’re talking about a home environment, we have no network or device logs to further our investigation,” Adallom explained. “We will continue the sample analysis together with Zeus experts and the Salesforce security team and update you as our investigation progresses.”

When it comes to the use of SaaS applications, companies should assume that the user devices are compromised and deploy relevant security controls for better detection and prevention capabilities, Adallom suggested.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.