14 DAY TRIAL // A new malicious software designed for stealing information has been discovered by security researchers to be used in reconnaissance operations against companies related to the energy sector across the world.
The freshly found stealer, dubbed Laziok, has been observed in campaigns running between January and February, in attacks that focused mostly on targets in the Middle East.
Custom malware funneled from servers in the US, UK or Bulgaria
Its purpose, according to security researchers from Symantec, is to collect information about the infected systems, the details being useful for the threat actor allowing them to decide the best course of the operation.
In an initial stage of infection, Laziok determines if the compromised computer represents an interest to the attacker by gathering configuration data.
If the system is not attractive, the infection stops; in the opposite case Laziok delivers additional malware (custom variants of Cyberat and Zbot) with different functionality, downloaded from servers in the US, UK and Bulgaria.
The data initially collected by the threat includes the name of the computer, the software installed, RAM and hard disk size, GPU and CPU details and the antivirus solution available.
Most infections detected in the United Arab Emirates
“During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” Symantec security response manager Christian Tripputi writes in a blog post on Monday.
From the telemetry data provided by the security company, the most affected region is the United Arab Emirates, which reported 25% of the infections.
Additional countries that represent an interest to the attacker judging from the number of detections are Pakistan, Saudi Arabia and Kuwait, each accounting for 10% of the total infections.
Laziok has also been reported by systems in Qatar, Oman, Oman, the US, the UK, India, Indonesia, Colombia, Cameroon and Uganda.
No need for new tricks when old ones still work
Tripputi says that the initial attack vector is an email purporting to come from the moneytrans[.]eu domain functioning as an outgoing (SMTP) server.
The messages have attached a malicious Excel file with an exploit for CVE-2012-0158, a buffer overflow security glitch in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library that allows remote code execution.
The vulnerability has been leveraged in several malicious campaigns in the past and affects Microsoft Office versions 2003 through 2010.
According to the researchers, although the threat actor relies on non-advanced methods and tools well-known on the underground market, the risk posed is not negligible since systems oftentimes remain unpatched against old glitches, making them susceptible to non-sophisticated attacks.