Após a breve suspensão do domínio do Zoho no mês passado, a Cofense Intelligence ™ descobriu que o Zoho está relacionado com um número extremamente alto de campanhas de phishing que recolhem dados de máquinas infetadas.
De todos os Keyloggers analisados pela Cofense, 40% usavam um endereço de e-mail zoho.com ou zoho.eu para exfiltrar dados das máquinas das vítimas.
Darrell Rendell, da Cofense, disse ao Threatpost que os investigadores da Cofense conseguiram confirmar a atividade no Zoho interceptando o tráfego SMTP (Simple Mail Transfer Protocol) do malware.
“We are able to see it connecting to smtp.zoho.com; and because smtp.zoho.com allows the STARTTLS function (encrypting the network traffic), we must use special techniques to intercept the traffic and decrypt it,” he explained. “We can also confirm the contents of the messages being sent to Zoho by parsing the malware’s memory. Either way, the result is an email containing harvested keystrokes, base64 encoded screenshots, stolen passwords and browser histories, to name examples.”
O Zoho tem-se tornado muito popular entre os cibercriminosos por alguns motivos, começando pelo simples fato de ser um serviço de Cloud gratuito e popular.
“They’re a software-as-a-service (SaaS) solution, and as we’ve seen cloud-based organizations are a major target for threat actors because of the sheer number of, and variance in, their end-user demographics,” Rendell told us. “For example: If a platform has 30 million+ users, even if a tiny fraction of a percent have their accounts compromised, it generates a huge command-and-control footprint for the threat actors.”
Além disso, ao não impor recursos rígidos de políticas de segurança, como a autenticação MFA,, isso cria uma exposição adicional ao risco.
“The risk boils down to this: The ease in which a threat actor can automate account creation, and [Zoho] not providing or enforcing strict security controls on their accounts such as multi-factor authentication, thus enabling easy and sustained takeover,” Rendell told Threatpost. “A somewhat simple script, for example, could potentially provide an attacker the ability to fully automate account creation in this type of scenario.”
Em 25 de setembro, o domínio Zoho, sediado na Índia, foi suspenso pelo provedorTierraNet, após denúncias de phishing originadas em um dos serviços da Zoho. No entanto, a Zoho não deve necessariamente ser apontado como alvo de abuso, ressaltou Rendell.
“Despite being subject to media scrutiny and aggressive registrar actions, Zoho is hardly the only victim of platform abuse,” he said in a blog post on the analysis, posted Tuesday. “Many trojans and keyloggers have abused popular platforms to support credential theft. The Geodo malware…leverages stolen credentials across hundreds of platforms – SaaS, ESPs and private mail servers alike. Gmail, Outlook.com, Yandex and Yahoo are frequent victims.”
A análise também mostra um aumento no uso de keyloggers – especificamente o malware Tesla e o Hawkeye.
“This seems to coincide with a real explosion of the malware-as-a-service model,” Rendell told us. ” By abstracting away all of the difficult parts of malware – namely its authorship and subsequent configuration – it is trivial for utterly non-technical actors to purchase an off-the-shelf keylogger, ready to deploy. With phishing-as-a-service also in existence, it’s possible for would-be attackers to get end-to-end malware delivery without having to so much as run a single command.”
O agente Tesla e o Hawkeye também adicionaram certas capacidades de “stealer”-
“This noxious mix of capabilities gives these families the ability to capture data both in real-time and retroactively, from vaults, wallets, caches and configs,” Rendell said. “Naturally, this begs the question: once the data has been stolen, serialized and prepared, where does it go? Either to a panel or, more commonly, to a compromised email account…keyloggers overwhelmingly favor email to all other exfiltration methods combined.”
A Zoho ainda não emitiu qualquer comunicado.