Skip to main content

Middle-Eastern energy firms targeted with reconnaissance Trojan


Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
Posted on 31.03.2015
 
"The initial infection vector involves the use of spam emails coming from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158)," Symantec's Christian Tripputi explained.

The attachment - an Excel file - would execute the exploit code for the aforementioned vulnerability, and drop a new reconnaissance Trojan with dropper capabilities: Laziok.

The Laziok Trojan would first collect system configuration data: computer name, RAM size, HD size, GPU and CPU details, list of installed software, and especially installed AV software.
 
Full Article

3 replies

Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
By Ionut Ilascu    31 Mar 2015
 
http://i1-news.softpedia-static.com/images/fitted/340x180/Trojan-Laziok-Used-for-Reconnaissance-in-the-Energy-Sector.jpg
 
Custom builds of Cyberat and Zbot sent to attractive targets
 
A new malicious software designed for stealing information has been discovered by security researchers to be used in reconnaissance operations against companies related to the energy sector across the world.
 
The freshly found stealer, dubbed Laziok, has been observed in campaigns running between January and February, in attacks that focused mostly on targets in the Middle East.
 

Custom malware funneled from servers in the US, UK or Bulgaria

 
Its purpose, according to security researchers from Symantec, is to collect information about the infected systems, the details being useful for the threat actor allowing them to decide the best course of the operation.
Full Article
 
 

By Lucian Constantin
 
http://images.techhive.com/images/article/2014/06/malware_keyboard_idg-100311220-primary.idge.jpg

The Trojan program is used for reconnaissance and distribution of additional malware, researchers from Symantec say.

 
A new malware program is being used to do reconnaissance for targeted attacks against companies in the energy sector.
The program, dubbed Trojan.Laziok by researchers from antivirus vendor Symantec, was used in spear-phishing attacks earlier this year against companies from the petroleum, gas and helium industries.
The attacks targeted companies from many countries in the Middle East, but also from the U.S., India, the U.K., and others, according to malware researchers from Symantec.
The Trojan is spread via emails with malicious documents that exploit a Microsoft Office vulnerability for which a patch has existed since April 2012.
 
full article

By Brian Prince on March 31, 2015
 
Researchers at Symantec have observed a sophisticated, multi-stage attack campaign focused on energy companies in the Middle East.
First observed between January and February, the attack campaign was spotted using a new piece of malware dubbed 'Laziok', which Symantec has classified as a reconnaissance tool and an information stealer. The attacks are focused on the petroleum, gas and helium industries, with by far the largest percentage of victims (25 percent) being located in the United Arab Emirates. Saudi Arabia, Pakistan and Kuwait account for 10 percent apiece of the Laziok infections detected by Symantec. Five percent of the infections occurred in the United States.
"The initial infection vector involves the use of spam emails coming from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server," blogged Symantec Security Response Manager Christian Tripputi. "These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). This vulnerability has been exploited in many different attack campaigns in the past, such as Red October."
 
full article

Reply