Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

New Zeus Variant Found Targeting Accounts

Researchers from Adallom, a SaaS security company founded in 2012, say they recently discovered an unusual variant of the Zeus Trojan that targets users.

Researchers from Adallom, a SaaS security company founded in 2012, say they recently discovered an unusual variant of the Zeus Trojan that targets users.

Adallom describes the attack as technically unsophisticated, as it was simply a customized version of the popular Zeus banking Trojan, but potentially quite dangerous as it targets sensitive corporate data.

“Tailored company data exfiltration capability is what we believe makes this variant significant,” Adallom explained. “Zeus, which traditionally used to pilfer online banking credentials and transactions, as far as we know, this is the first time a Zeus variant in the wild has been found to target an enterprise SaaS application for the purpose of data exfiltration.”

Adallom refers to this type of attack as “landmining”, since the attackers targeted an employee’s unprotected home computer, essentially laying landmines, waiting for a user to connect to in order to exfiltrate company data from the instance.

“This Zeus attack is simply taking advantage of the trust relationship that exists between an end-user and the SaaS application once the user has authenticated,” the company explained. “Only once that trust relationship is legitimately established does the attack truly begin.”

Adallom said it was tipped off when it received an alert stemming from high activity behavior on from a customer that appeared to be a single user performing hundreds of operations in short time.

The activity, a rapid run of “view” operations, triggered an alert by Adallom to its customer’s security operations team, notifying them of the suspicious activity.

According to Adallom, this type of alert is a typical insider threat alert, usually triggered by an employee trying to copy their list of accounts from their account.

While looking into the situation, the client’s corporate security team engaged Adallom Labs to assist with the investigation.

“A quick analysis of the logs indicated that the crawling behavior didn’t originate from the employee’s work device,” Adallom explained. “We could see that the offending device was mostly used during weekends and nights and was a Windows XP machine running an old version of IE. Long story short: It turned out to be that user’s spouse’s computer which was being used from time to time (weekends and nights) to catch up on work.”

Further investigation revealed that the system had been infected with a Zeus variant configured to detect Salesforce sessions rather than online banking sessions.

“This is the first incident we’ve seen of this powerful, albeit antiquated, weapon turned against corporate SaaS accounts,” Adallom said. “While Zeus usually hijacks the user session and performs wire transactions, this variant simply crawled the entire site and created a real time copy of the company CRM.”

Because some of the parameters were hard coded into this particular Zeus variant, Adallom says this doesn’t appear to be a large-scale attack, but was probably used as a specially crafted tool as part of a larger attack.

“However, this same attack pattern could be easily replicated against any company using any SaaS application,” Adallom warned. “Even more disturbing is the fact that all existing Zeus variants in the wild can be fairly easily repurposed to steal information from SaaS applications, it’s just a matter of adding another webinject configuration pack.”

Other SaaS applications have been targeted in the past by key logging malware, including a different banking a banking Trojan modified to look for SAP GUI. Late last year, Rapid7 released a paper outlining how its Metasploit tool can be used to perform penetration tests on ERP (enterprise resource planning) systems. 

“As criminals get smarter about ERP systems, I have no doubt they’ll use that to their advantage,” Todd Beardsley, Metasploit Engineering Manager at Rapid7 said last year. “This is why we’re trying to educate legit security practitioners; the existence of a Trojan that targets SAP directly says that at least someone in the criminal underground already knows a thing or two about SAP.”

According to Dell SecureWorks, many banking Trojans are used for the same purposes, although not all banking trojans are created equal. A recent report on banking Trojans from Dell SecureWorks found that traditional banking websites were the focus of most of the cyber campaigns, but attackers also targeted different institutions including corporate finance and providers of corporate payroll services, stock trading, social networking, email services, mail delivery services, employment portals, entertainment and dating portals.

Adallom said it has not determined how the machines were infected and who was behind the attack.

“Since we’re talking about a home environment, we have no network or device logs to further our investigation,” Adallom explained. “We will continue the sample analysis together with Zeus experts and the Salesforce security team and update you as our investigation progresses.”

When it comes to the use of SaaS applications, companies should assume that the user devices are compromised and deploy relevant security controls for better detection and prevention capabilities, Adallom suggested.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...