A new variant of the Sazoora data-hijacking trojan has compromised 23,000 machines across enterprises in Europe and the US, researchers say.
Seculert CTO Aviv Raff said the malware struck the machines from late last month affecting companies in Austria, Switzerland, Belgium and the US.
An older version hit users in Slovakia via a tax return spam hoax that at the time was described by anti-virus firm ESET as an “ordinary credentials-stealing trojan” which used HTML injects to collect data from users' Internet Explorer, Firefox and Chrome browsers.
Raff said the malware was now more capable, notably in evading detection and proliferation.
He said the Sazoora.B variant lay dormant on victim machines for 15 minutes before authenticating with its command-and-control server and exfiltrating data.
“They've made some changes which made it less detectable by traditional security solutions [as well as] harder to hijack the botnet,” Raff said. “Before the command-and-control server starts [receiving] data, it's verified by some sort of digital signature.”
The new malware variant also uses form-grabbing capabilities, so that the content of any online form – whether email or otherwise – can be purloined by hackers, Raff added.
“We see it targeting mostly enterprises, so it tends to attack [with the goal] of extracting data from those specific enterprises,” he said.
Seculert has yet to identify the campaign's attack vector, but since Sazoora.A used phishing emails to target users, the new variant is likely using the same tactics, Raff said.