Home / Tech News / ‘Trojan.Laziok’ reconnaissance malware targets Middle East energy sector (Martin Anderson/The Stack)

‘Trojan.Laziok’ reconnaissance malware targets Middle East energy sector (Martin Anderson/The Stack)

0 Shares Share Share Share News Martin Anderson , The Stack Tuesday 31 March, 2015 Researchers at Symantec have observed that a relatively new data exfiltration software has been put to service in a winter campaign against energy companies in the Middle East. In a blog post Symantec’s Christian Tripputi reveals that Symantec observed a ‘multi-staged, targeted attack campaign’ against energy companies around the world, between January and February this year – with a distinct emphasis on the Middle East. Though the central malware has been dubbed ‘Trojan.Laziok’ by Symantec, In fact the Laziok Trojan has been identified and addressed before, with uninstall information widely available at various sites – and would appear to have been picked up as a campaign tool by as-yet unknown actors seeking sensitive information from the energy sector. Tripputi says “The detailed information enables the attacker to make crucial decisions about how to proceed further with the attack, or to halt the attack. During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” The attack begins with spam emails from the moneytrans.eu domain. The mails contain an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability ( CVE-2012-0158 ),which is executed if the recipient opens the infected Microsoft Excel file attached to the mail. After this the running Trojan heads straight for SettingsAll UsersApplication DataSystemOracle, and creates apparently innocuous folder names to hide copies of itself in. During the process it will also rename itself to hide under the Oracle brand in file listings and the running processes list. Some of the identified refuges are: %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxsearch.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxati.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxlsass.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxsmss.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxadmin.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxkey.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxtaskmgr.exe %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxchrome.exe After this Trojan.Laziok initiates reconnaissance, initially collecting config data for the infected machine. The data includes the computer’s name, installed software, hard disk and RAM configurations, GPU and CPU details and any antivirus software that may be attempting to protect the machine. Having received this data from the Trojan, attackers at C&C additionally infect the host computer with bespoke copies of Trojan.Zbot and Backdoor.Cyberat – possibly the only custom-built software that the victim will have on their PC. The latter is a Remote Administration Tool , granting the controlling actor absolute control over the infected machine, whilst Zbot specifically targets confidential information, including online banking details – however Zbot is a versatile and configurable tool which will have been delivered to the energy companies with specific objectives for the type of information sought

See the original article here:
‘Trojan.Laziok’ reconnaissance malware targets Middle East energy sector (Martin Anderson/The Stack)

About Tech News Reporter

Check Also

Vivaldi browser taps privacy-first DuckDuckGo search – CNET

As your personal information leaks out through Facebook, one web browser offers a new option to keep a lid on it -- for private browsing tabs, at least.

Leave a Reply

Your email address will not be published. Required fields are marked *