Security experts have recently discovered a new malware designed to steal information. The malicious threat is used in reconnaissance campaigns and targets energy companies on a global scale. The malware is dubbed Laziok. Its operations were quite active between January and February, targeting big companies preferably in the Middle East.
About 25% of the attacks have been detected in the United Arab Emirates.
Other targeted countries include Kuwait, Saudi Arabia, Pakistan (about 10% of infections each), followed by Qatar, Oman, the UK and US, Indonesia, India, Uganda, Colombia.
After invading the companies’ systems, Laziok Trojan is set to harvest crucial data so that the attackers could decide how to proceed with the malicious strike. Once the initial stage has passed, the attackers behind the infection determine whether to gather configuration data or not. If the system is not of any interest, the malware stops its attack.
However, if the cyber criminals find the data essential, Laziok distributes additional malware, usually downloaded from servers in the UK, US or Bulgaria. The primary collected data consists of software specifications, RAM and size of hard disc, GPU and CPU, and present anti-malware tools.
The additional dangerous programs are custom variations of other Trojans such as Cyberat and Zbot.
What Kind of Essential Data Does Laziok Collect?
Researchers have reported that Laziok’s servers are probably situated in the UK, US or Bulgaria. After a vast analysis, security experts have concluded that most of the targets were connected to the helium, gas and petroleum industries. Thus, it is safe to assume that the attackers have an immense interest in the projects of such companies and have carefully prepared their strategy, even though the Trojan itself is not sophisticated.
Laziok’s Distribution Technique
The initial attack starts with an email from moneytrans.eu processing as an outgoing server. The infected emails consist of a corrupted Excel file with an exploit for CVE-2012-0158. CVE-2012-0158 is a common vulnerability in the ListView / TreeView ActiveX control. It is part of the MSCOMCTL.OCX library and permits remote access and malicious code execution.
The bug has been exploited before and is said to affect Microsoft Office Versions from 2003 to 2010.
Even though the Laziok Trojan attack does not use any new tricks, companies should treat it as a dangerous threat. One reason to be very cautious is the fact that systems usually remain unpatched against old vulnerabilities.