Highly Versatile Data-stealing Malware Targeting Energy Sector Discovered by Security Researchers

A multi-stage undercover work campaign that uses customized malware to steal confidential data from energy firms have discovered by the security researchers.

Dubbed Trojan.Laziok, the malware acts as a reconnaissance tool that allows the attackers to gather data about compromised computers, according to Symantec security researchers.

Christian Tripputi, Symantec researcher, wrote, the detailed information enables the attaches to make crucial decisions about how to proceed with an attack, or whether to freeze the attack.

Tripputi said that, once the attackers get the system conformation data, they can now infect the computer with additional malware – such as versions of Backdoor.Cyberat and Trojan.Zbot, specifically oriented for the compromised computer.

The researchers found out that most targets discovered in January and February 2015 were linked to the petroleum, gas and helium industries, although the initial attacks could have been blocked by keeping software and systems up to date.

The United Arab Emirates (UAE), followed by Saudi Arabia, Pakistan and Kuwait were most targeted by Hackers.

The researcher found energy firm computers were infected using spam emails coming from the moneytrans.eu domain, which plays as an open-relay simple mail transfer protocol(SMTP) server.

These emails include a malicious attachment – typically an Excel file – packed with an exploit for the Microsoft Windows ActiveX control remote code execution vulnerability (CVE-2012-0158).

This vulnerability has been exploited in many different attack campaigns in the past. One was Red October, which infected diplomatic, government, and scientific organizations around the world.

When the user opens the email attachment, the work code is executed. If the wok succeeds, it drops Trojan.Laziok, kicking off the infection process.

The Trojan hides itself in the computer system C:\Documents and Settings\All Users\Application Data\System\Oracle directory, making new folders and renaming itself with well-known file names.

Tripputi said the undercover work campaign exploited an old vulnerability and distributed well-known threats available on the underground market.

“However, many computer users still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind,” he said.

This means attackers do not always need to have the latest tools at their disposal to succeed, because they can work organizational failures to patch software and systems regularly.



Leave a Reply

Your email address will not be published. Required fields are marked *