Trojan Doing Recon in Energy Sector

Tuesday, April 7, 2015 @ 04:04 PM gHale

Reconnaissance operations are ongoing against companies related to the energy sector across the world, researchers said.

A Trojan, dubbed Laziok by Symantec, has been in campaigns running between January and February, in attacks that focused mostly on targets in the Middle East.

Cyber Espionage Discovered after 3 Years
Incidents Down; APTs on Rise
Security: A Presidential Mandate
Malware Focuses on U.S. Attacks

Its purpose is to collect information about the infected systems, the details being useful for the attacker allowing him or her to decide the best course of the operation, said Symantec researchers.

In an initial stage of infection, Laziok determines if the compromised computer represents an interest to the attacker by gathering configuration data.

If the system is not attractive, the infection stops. In the opposite case, Laziok will then deliver additional malware (custom variants of Cyberat and Zbot) with different functionality, downloaded from servers in the U.S., UK and Bulgaria.

The data initially collected by the threat includes the name of the computer, the software installed, RAM and hard disk size, GPU and CPU details and the antivirus solution available.

“During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” Symantec security response manager Christian Tripputi said in a blog post.

From the telemetry data provided by the security company, the most affected region is the United Arab Emirates, which reported 25 percent of the infections.

Additional countries that represent an interest to the attacker judging from the number of detections are Pakistan, Saudi Arabia and Kuwait, each accounting for 10 percent of the total infections.

Laziok has also been in systems in Qatar, Oman, Oman, the U.S., the UK, India, Indonesia, Colombia, Cameroon and Uganda.

The initial attack vector is an email purporting to come from the moneytrans[.]eu domain functioning as an outgoing (SMTP) server, Tripputi said.

The messages have attached a malicious Excel file with an exploit for CVE-2012-0158, a buffer overflow security glitch in the ListView/TreeView ActiveX controls in the MSCOMCTL.OCX library that allows remote code execution.

Although the attacker relies on non-advanced methods and tools known on the underground market, researchers said the risk posed is not negligible since systems oftentimes remain unpatched against old glitches, making them susceptible to non-sophisticated attacks.

Leave a Reply

You must be logged in to post a comment.