Zoho as the main way for keyloggers to send stolen data
According to Cofense Intelligence, 40% of keyloggers send collected information to the email address linked to zoho.com or zoho.eu domain.
Zoho is the Indian company with the focus on developing software products that enable users to manage IT infrastructure of the local and regional enterprises. This vendor also provides with a free access to such collaboration tools as email, chat, word processor, electronic spreadsheets, etc.
As Cofense reported, keylogger operators use Zoho email address to create a free account as well as to receive stolen data, which are sent by the malware as a letter. Sometimes hackers steal a user’s account for the same purpose.
The representative of Threatpost, a leading analyst at Cofense Darrell Rendell mentioned that researchers managed to detect the malicious activity on Zoho platform by intercepting the keyloggers’ SMTP traffic.
The expert said researchers were able to track the malware connection to smtp.zoho.com. Since smtp.zoho.com allows the use of STARTTLS (encryption of the network traffic), they had to apply specific interception and traffic analysis techniques. The data sent to Zoho addresses can also be detected by parsing the malware memory content. One way or another, specialists made sure that letters contain the same information as keystrokes, base64-encrypted screenshots, stolen passwords, browser history.
Rendell explained that Zoho web services are attractive to cybercriminals for two main reasons: the free use and a huge number of users. They operate on the principle “software as a service” (SaaS) and when an organization sends files to the cloud, it becomes very attractive for attackers because of the number and variety of the end users. If the platform, for example, has more than 30 million users, then hacking less than 1% of accounts is quite enough for an attacker to create the necessary C&C traffic.
The problem in this case is unreliable protection, including multifactor authentication and weak control of the account creation. The interlocutor of Threatpost also stressed that a simple script will help you to fully automate the process of accounts’ creation.
According to Cofense investigation, the number of people using keyloggers is significantly increased. Hawkeye and Agent Tesla are among the most frequently used ones, the attacks of such kind were detected this spring and aimed at shipping companies.
According to experts, Agent Tesla and Hawkeye keyloggers have additional features to steal information. Randall also emphasized that the variety of malicious functions allows these families to steal data both in real time mode and backdating — from storages, wallets, caches, configuration files, etc. So, the data are stolen, serialized and prepared, what then? Then all information is sent either to the operator’s panel or the compromised email account. The vast majority of keyloggers use the second variant.