Hackers are now leveraging Zoho to distribute keyloggers and steal data

• The India-based online office suite software provider is being abused to carry out data-theft campaigns across the globe.
• Experts are unsure as to why Zoho is being abused at such as massive scale.

Zoho, a free online office suite software provider has turned into a major target for cybercriminals, who are now leveraging the service to propagate keylogger malware and steal data. The India-based online office suite software provider is being abused to carry out data-theft campaigns across the globe.

On September 25th, the online office suite provider, had its domain taken down by its registrar, TierraNet. Zoho was shut down after TierraNet discovered phishing violations originating from one of Zoho’s services. The incident impacted over 30 million Zoho users.

According to security experts at Cofense, 40 percent of the identified keyloggers were found abusing the Zoho email domain to exfiltrate data from a victim’s machine to the attacker.

What are Keyloggers?

Keyloggers or keystroke loggers are programmed to monitor and record keys that a user taps on to type on their computer. Keystrokes can help attackers obtain passwords, usernames, and other confidential financial information. Hackers tend to install keyloggers along with other legitimate programs that do not appear to be dangerous.

Modern keyloggers can also collect information such as webcam footage and screenshots and send them directly to the attacker's computer.

Keyloggers exploiting Zoho domain

Cofense researchers told Bleeping Computer that the most common keyloggers they observed abusing Zoho domains were Hawkeye and Agent Tesla. However, both the keyloggers function in a similar way, sending compiled data stolen from the victims back to the attackers using a free email provider like Zoho.

“The rise in Keyloggers seems to coincide with a real explosion of the Malware-as-a-Service model,” Cofense researchers told Bleeping Computer. “With Phishing-as-a-Service also in existence, it’s possible for would-be attackers to get end-to-end malware delivery without having to run a single command.”

Zoho appears to be aware of the abuse and told Bleeping Computer that it will be instituting new policies that all free Zoho.com accounts must follow. Zoho CEO Sridhar Vembu added that the company is focused on preventing this type of abuse.

Experts are unsure as to why Zoho is being abused at such as massive scale. However, Cofense researchers suggest that Zoho likely attracts attackers due to its lax security.

“The reason for threat actors overwhelmingly abusing Zoho is unclear, but minimal security process enforcements – optional 2FA (not enforced), activity monitoring, etc. – combine with user susceptibility to create fertile ground,” the researchers added.