Cyber attack campaign focused on Gulf's energy sector
Laziok trojan collecting information from energy companies in the region
The Trojan.Laziok malware, is part of a multi-staged, targeted attack campaign, which was detected between January and February. The attack appears to be stealing data from companies in the energy sector, and the UAE was the most targeted region with 25% of attacks. Saudi and Kuwait accounted for 10% of attacks, and Oman and Qatar 5%.
Laziok acts as a reconnaissance tool allowing the attackers to gather data about the compromised computers.
The detailed information enables the attacker to make crucial decisions about how to proceed further with the attack, or to halt the attack.
The initial infection vector involves the use of spam emails coming from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). This vulnerability has been exploited in many different attack campaigns in the past, such as Red October.
If the user opens the email attachment, which is typically an Excel file, then the exploit code is executed. If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.
The Trojan hides itself in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory, making new folders and renaming itself with well-known file names
Trojan.Laziok then begins its reconnaissance process by collecting system configuration data such as computer name, installed software, RAM size, hard disk size, GPU and CPU details, and antivirus software.
The collected information is then sent to the attackers. Once the attackers received the system configuration data, including details of any installed antivirus software, they then infect the computer with additional malware. In this campaign, the attackers distributed customized copies of Backdoor.Cyberat and Trojan.Zbot which are specifically tailored for the compromised computer’s profile. Symantec observed that the threats were downloaded from a few servers operating in the US, UK, and Bulgaria.
In a Symantec blog post, researchers said that: “The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market. However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind. From the attacker’s perspective, they don’t always need to have the latest tools at their disposal to succeed. All they need is a bit of help from the user and a lapse in security operations through the failure to patch.”