New malware exploit targets energy sector
04 Apr 2015
Hackers are targeting the energy sector with a new exploit called Trojan.Laziok.
The attack had focused on the Middle East, with Trojan.Laziok functioning as a reconnaissance tool to allow hackers to steal data from compromised computers, net security firm Symantec reported.
The petroleum, gas, and helium companies were targeted using spam emails from the moneytrans.eu domain.
The emails contained a Microsoft Excel attachment with an exploit for the Microsoft Windows Common Controls ActiveX Remote Code Execution Vulnerability, which had been seen in prior attacks, although the attack method was new.
The infection started with a click on the attachment. Lazoik hid itself in "%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle", and began by making new folders and renaming itself with normal file names like search.exe, lsass.exe, and smss.exe.
It then collected system data, like the computer name, hardware specs (RAM, GPU, processor, antivirus software) and sent it to the attackers, which then could use additional malware to break whatever defences were present.
The United Arab Emirates had been most affected by the attack, followed by Saudi Arabia, Pakistan, and Kuwait.
Symantec said, ''In this campaign, the attackers distributed customized copies of Backdoor.Cyberat and Trojan.Zbot, which are specifically tailored for the compromised computer's profile. We observed that the threats were downloaded from a few servers operating in the US, UK, and Bulgaria.''
The data that hackers gathered with the help of Trojan.Laziok included details about installed software, antivirus software, RAM size, hard disk size, central processing unit and graphics processing unit.
With the detailed information, attackers could make crucial decisions about how to proceed with an attack, or whether to halt the attack, according to Symantec researcher Christian Tripputi's blog post.
According to Tripputi, once the attackers received the system configuration data, they then infected the computer with additional malware – such as versions of Backdoor.Cyberat and Trojan.Zbot, specifically tailored for the compromised computer.
According to the researchers, most targets observed in January and February 2015 were linked to the petroleum, gas and helium industries, even though the initial attacks could have been blocked by keeping software and systems up to date.
The researchers said, energy firms' computers were infected using spam emails coming from the moneytrans.eu domain, which acted as an open-relay simple mail transfer protocol (SMTP) server.