Laziok

By GoldSparrow in Trojans

A new malicious threat that targets oil and gas companies has been discovered by security experts. Its name is Laziok, and it is a Trojan. Laziok is a reconnaissance malware that penetrates the system and exfiltrates valuable information. Attacks by the Laziok Trojan were prevalent in January and February of 2015. The Laziok Trojan gained access via spam email attachment. This malware targeted mainly companies with connections to the petroleum, gas and helium industries.

Laziok Method of Propagation

Like in the epic poem by Homer, the Laziok Trojan infiltrates the systems in a very deceptive manner. It all starts with a large number of spam emails coming from the moneytrans.eu domain. The contents of these spam emails include an attachment, most often a Microsoft Excel document. It's in this document that the Laziok malware hides, buying its time. By exploiting a weakness in the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-158), the malware gains access to the system.

It should be noted that this exact vulnerability was already addressed by Microsoft three years ago, in 2012. Judging by this fact, it may seem that the group behind this attack is not on the cutting edge of hacking, using a three-year-old exploit. However, it should be noted that a lot of the systems they targeted seemed to be lacking updates that would mend the vulnerable spots in their Operating System, and therefore were left open to the attack.

This vulnerability, in particular, has already been exploited by several malware campaigns in the past by taking advantage of the exploit present in Microsoft Office versions 2003 through 2010. Primary targets of this particular malicious push were energy companies from all over the world, with a somewhat obvious emphasis on the Middle East. The Arab Emirates were affected the most by Laziok, at 25% overall infection rate, followed by Saudi Arabia (20%), Pakistan (10%) and Kuwait (10%). Countries like Qatar, India, UK and US were also afflicted, however, to a lower extent. As the energy business is one of the most, if not the most profitable, the attackers went after the countries with the largest percentage in the business.

Laziok's Activity and Goals

Once successfully inside, the Laziok Trojan takes residence in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory. To makes matters worse, Laziok creates new folders and renames itself to such inconspicuous names as ati.exe, taskmgr.exe, chrome.exe, key.exe, etc. among others. Afterwards, the Laziok Trojan starts its "job" by thoroughly inspecting the computer configuration it has found its way in. The information it collects include:

  • Computer Name
  • CPU information
  • GPU information
  • RAM size and type
  • Installed Software (including Anti-virus applications)
  • Hard disk size and type

As soon as the Laziok Trojan collects all of the information mentioned above, it sends the data back to the hackers that initiated the attack. Once the information has been received, the attackers take one of two routes, depending on the data received:

  1. Should the data be deemed valuable and the infected system worthy of interest and further compromise, the attackers dispatch additional malicious software. In this case, it is modified versions of the Backdoor.Cyberat and Trojan.Zbot. These malware threats are explicitly custom-fit to the system they are attacking. The bulk of these threats is downloaded from servers located in the UK, US and Bulgaria.
  2. If the system is not considered a valuable target by the hackers, all Laziok activities are suspended, and no further infection with malware is enacted.

The Laziok Trojan is a devious malware that is used as a recon "unit" when infiltrating systems. The fact that it targets only companies with ties to the petrol, gas and helium industries is a somewhat of a relief to the regular Internet user. However, this can be interpreted as a warning to the Internet user base in general. Because the Laziok Trojan gains access to the system through spam emails attachments, users should take care when opening emails from unknown sources, especially if they have files attached.

Even though the Laziok Trojan is not as sophisticated as some of the other malicious software offerings out there, it goes to show that when it comes to Internet security, you should never let your guard down. An up-to-date system and anti-spyware software are a must in our day and age.

Trending

Most Viewed

Loading...