Sazoora.B Makes its Anti-Sandboxing Debut

by on | Leave a comment
Filed under Industry News, Research Lab and tagged , , , , , , .

featured pic

The experts at Seculert’s Research Lab have identified a new version of the malware known as Sazoora. The first variant, Sazoora.A, first detected in August of last year, didn’t make headlines until this past May when ESET’s Security Research Lab identified a malware-spreading campaign based around the March deadline for tax returns in Slovakia.

Sazoora.A is an ordinary credentials-stealing Trojan that, in the Slovak case, was delivered via an email attachment. Sazoora.A is browser-based, injecting fraudulent HTML code into web pages in order to steal sensitive financial data mostly related to credit card information. The stolen data is then periodically sent to a remote server. During the May 2013 campaign, over 60% of all detected incidents were in Slovakia.


The new version of Sazoora- Sazoora.B has evolved, making it harder for traditional security solutions to detect by going through minor packing and technical changes aimed at avoiding on-premises sandboxes. Instead of immediately launching like Sazoora.A, Sazoora.B waits for 15 minutes before becoming active. This dormant phase makes it undetectable.

10minFigure 1: Results of Seculert’s Elastic Sandbox analysis after 10 minutes

30min blurred

Figure 2: Results of Seculert’s Elastic Sandbox analysis after 30 minutes

The differences continue as Sazoora.B then sends a message to its command and control server (C&C) before it begins sending its stolen data. It requires the C&C to authenticate itself via a signed signature. This verifies that the C&C is owned by the attackers, preventing other cybercriminals from hijacking their botnet. This behavior was previously seen in other malware families such as Ramnit.

API call for verification from c2

Figure 3: Microsoft API call to the C&C for signature verification

Also, Sazoora.B does not inject its main module into explorer.exe. Instead it remains in its own process.


Figure 4: Malware behaviors as identified by Seculert’s Elastic Sandbox

Between September 26 and October 20, Sazoora.B infected over 23,000 machines. The majority of the IP addresses were located in Austria, Switzerland, Belgium, and the United States.

Figure 5: Geographic breakdown of IPs infected by Sazoora.B

Figure 6: Level of Sazoora.B activity between 26 September and 20 October 2013

Figure 6: Level of Sazoora.B activity between 26 Sept. & 20 Oct. 2013


Sazoora.B like Sazoora.A is designed as an information stealer at the most fundamental level. It is similar to other such types of advanced malware used by cybercriminals targeting end-users and enterprises. Although, we have yet to determine whether Sazoora is targeting specific entities or operating in a purely opportunistic fashion, we have concluded that Sazoora.B demonstrates all the characteristics of today’s prevailing cyber attacks.

Sazoora.B’s nature allows it to avoid on-premises network security devices. It is recommended that enterprises use an advanced threat protection solution that includes a cloud-based elastic sandbox in order to detect advanced malware and APTs such as Sazoora.B.

The following MD5 is of a Sazoora.B variant:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>