Middle East-based Energy sector companies are among the most recent targets of new data exfiltration software dubbed Trojan.Laziok, which is aimed at infecting systems to steal companies’ sensitive information, Symantec researchers have revealed.
The Researchers at Symantec found that majority of attacks, recorded between January and February this year, targeted petroleum, gas and helium industries operating in the Middle East. While United Arab Emirates-based companies accounted for a quarter of attack attempts, Saudi Arabia, Kuwait, and Pakistan each accounted for 10 percent of the attacks. The UK and the US accounted for a combined 10 per cent otries are f infections by the “Laziok” trojan.
Symantec claims the attack begins with spam emails from the moneytrans[.]eu domain, which acts as an SMTP server. Emails sent from this domain contain a malicious file containing an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). Once the recipient opens the infected Microsoft Excel file attached to the mail, Laziok is dropped.
The Trojan disguises itself in the C:\Documents and Settings\All Users\Application Data\System\Oracle directory, making new folders and renaming itself with well-known file names. It then collects information including the computer name, installed software, RAM size, hard disk size, GPU details, CPU details and, perhaps crucially, what antivirus software is installed, and sends it back to the attackers, who then decide if they want to deploy additional malware, either Backdoor.Cyberat or Trojan.Zbot, that can provide them with remote access to the infected system.
“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market,” Symantec security response manager Christian Tripputi wrote in a blog post detailing the threat.
“However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind. From the attacker’s perspective, they don’t always need to have the latest tools at their disposal to succeed. All they need is a bit of help from the user and a lapse in security operations through the failure to patch.”
