Energy companies infected by newly Laziok trojan malware

Pierluigi Paganini April 01, 2015

Symantec has discovered a cyber espionage campaign targeting energy companies around the world by infecting them with a new malware dubbed Laziok trojan.

Security experts at Symantec have uncovered a new cyber espionage campaign that targeted the energy industry. The threat actors behind the campaign used uses a custom-developed malware dubbed Laziok trojan to exfiltrate sensitive data from energy companies around the world. The United Arab Emerates was the country with the highest number of infections (25%), followed by Saudi Arabia (20%), Pakistan (10%), and Kuwait (10%).

Laziok infection-graph

Trojan. Laziok was designed for reconnaissance activities, it collects data on target systems, including machine name, installed antivirus software, installed applications, CPU and GPU details, RAM size and hard disk size.

“Between January and February, we observed a multi-staged, targeted attack campaign against energy companies around the world, with a focus on the Middle East. This attack campaign used a new information stealer, detected by Symantec as Trojan.Laziok. Laziok acts as a reconnaissance tool allowing the attackers to gather data about the compromised computers.” states a blog post published by Symantec.

The data collected by Trojan.Laziok are used by bad actors to tune the attack against the targeted companies, the information help the attackers to decide which malware use to breach the systems. The operators behind the malicious campaign used other malware to target their attacks against specific companies, the attackers used versions of Backdoor.Cyberat and Trojan.Zbot to infect systems with specific configurations.

“The detailed information enables the attacker to make crucial decisions about how to proceed further with the attack, or to halt the attack. During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected.”

The attack chain starts with a spear phishing attack, the emails used by hackers come from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. The e-mails contain an attachment, typically in the form of an Excel file, that exploits a well-known Microsoft Windows vulnerability patched in 2012 and that was exploited by threat actors behind Red October and CloudAtlas campaigns.

“These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). This vulnerability has been exploited in many different attack campaigns in the past, such as Red October. ” explains Symantec.

The experts confirmed that bad actors that used Trojan.Laziok malware to target energy companies haven’t adopted sophisticated hacking technique, the investigation demonstrated that they exploited only an old vulnerability by using exploit kits easy to find in the underground market. However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind. From the attacker’s perspective, they don’t always need to have the latest tools at their disposal to succeed. All they need is a bit of help from the user and a lapse in security operations through the failure to patch.

As usual, let me suggest you to keep your systems secure by applying security patches for vulnerabilities.

trojan laziok-diagram

Pierluigi Paganini

(Security Affairs –  Trojan.Laziok,   hacking)

you might also like

leave a comment