The original Zeus used lightning bolts. The bank Trojan Zeus uses malicious keystroke logging and steals banking credentials. This newest Zeus version uses web-crawling action to target software-as-a-service (SaaS) apps to access proprietary data or code.
Swati Khandelwal on the hackernews.com reports that one SaaS security firm vendor detected a malware campaign against a Salesforce.com customer. It started as an attack on an employee’s home computer. Using its web crawling ability, Zeus grabbed sensitive data from the customer’s CRM instance.
The attack was detected when the security company saw about 2GB of data downloaded to the victim’s computer in less than 10 minutes. While Zeus normally hijacks a user session to perform wire transactions, this latest version crawls the site and creates a real-time copy of a user’s Salesforce.com instance that has all the information from his/her company account.
Security professional Ami Luttwak said of the attack “This looks like a targeted attack against the company, cleverly targeting the employee home instead of the enterprise – thus bypassing the company controls. This was probably just the first step, using the Zeus Web inject capabilities they could have used the same tactics as in the banking sites attacks and ask the user to enter more information regarding his company credentials or send out messages in his name.”
Khandelwal notes that previously the FBI has warned companies about the GameOver banking Trojan, a Zeus variant aimed at spreading financial malware through phishing emails. Once installed, it carries out DDoS (Distributed Denial of Service) attacks using a botnet and flooding the targeted financial institution’s server with traffic.
Earlier this year, security researcher Gary Warner described a new variant of GameOver Zeus malware that used Encryption to bypass perimeter security.
It allowed attackers to bypass traditional security measures used by Salesforce.com and other SaaS apps and have Zeus grab loads of business data and customer information.
How computers are infected in the first place and who is behind the attacks is still not known.