Home / Tech News / ‘Trojan.Laziok’ reconnaissance malware targets Middle East energy sector (Martin Anderson/The Stack)

‘Trojan.Laziok’ reconnaissance malware targets Middle East energy sector (Martin Anderson/The Stack)

0 Shares Share Share Share News Martin Anderson , The Stack Tuesday 31 March, 2015 Researchers at Symantec have observed that a relatively new data exfiltration software has been put to service in a winter campaign against energy companies in the Middle East. In a blog post Symantec’s Christian Tripputi reveals that Symantec observed a ‘multi-staged, targeted attack campaign’ against energy companies around the world, between January and February this year – with a distinct emphasis on the Middle East. Though the central malware has been dubbed ‘Trojan.Laziok’ by Symantec, In fact the Laziok Trojan has been identified and addressed before, with uninstall information widely available at various sites – and would appear to have been picked up as a campaign tool by as-yet unknown actors seeking sensitive information from the energy sector. Tripputi says “The detailed information enables the attacker to make crucial decisions about how to proceed further with the attack, or to halt the attack. During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” The attack begins with spam emails from the moneytrans.eu domain. The mails contain an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability ( CVE-2012-0158 ),which is executed if the recipient opens the infected Microsoft Excel file attached to the mail. After this the running Trojan heads straight for SettingsAll UsersApplication DataSystemOracle, and creates apparently innocuous folder names to hide copies of itself in. During the process it will also rename itself to hide under the Oracle brand in file listings and the running processes list. Some of the identified refuges are: %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxsearch.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxati.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxlsass.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxsmss.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxadmin.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxkey.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxtaskmgr.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxchrome.exe After this Trojan.Laziok initiates reconnaissance, initially collecting config data for the infected machine. The data includes the computer’s name, installed software, hard disk and RAM configurations, GPU and CPU details and any antivirus software that may be attempting to protect the machine. Having received this data from the Trojan, attackers at C&C additionally infect the host computer with bespoke copies of Trojan.Zbot and Backdoor.Cyberat – possibly the only custom-built software that the victim will have on their PC. The latter is a Remote Administration Tool , granting the controlling actor absolute control over the infected machine, whilst Zbot specifically targets confidential information, including online banking details – however Zbot is a versatile and configurable tool which will have been delivered to the energy companies with specific objectives for the type of information sought

See the original article here:
‘Trojan.Laziok’ reconnaissance malware targets Middle East energy sector (Martin Anderson/The Stack)

About Tech News Reporter

Check Also

oBike is closing its dock-less bike-sharing service in Singapore

Singapore’s upcoming licensing for dock-less bike-sharing services has claimed its first scalp after oBike — a Singapore-based company run by Chinese founders — announced that it would cease its service in the country ahead of the implementation of regulations. The Land Transport Authority (LTA) is introducing measures to protect Singapore’s streets from a glut of bicycles left all over the place, as photo essays from China and beyond have cautioned can happen. oBike launched its service at the beginning of 2017, and it claims over one million registered users but still it will end its service today, June 25. oBike said it will continue to run operations in other markets, although it hasn’t said if/when it will refund Singapore-based users with the deposits that they paid upon registration. “oBike strongly believes and is committed to provide sic dock-less bicycle sharing service that would benefit users’ commuting and Singapore’s transportation system, however it is with regret that the new regulation measures do not favour this belief of ours,” the company said in a statement  that posted to Facebook. This move comes weeks after oBike exited Melbourne in Australia following issues with regulation. oBike has directed its customers to the newly-launched bike service from ride-hailing giant Grab, which went live in March , although that service has temporarily paused new user sign-ups. Other alternatives in Singapore also include services from Chinese duo Ofo and Mobike. Grab is actually an investor in oBike, as TechCrunch reported last year , after taking part in its $45 million Series B round that was announced in August 2017.

Leave a Reply

Your email address will not be published. Required fields are marked *