New targeted attack campaign against energy companies around the world, with a focus on the Middle East. This attack campaign used a new information stealer, detected by Symantec as Trojan.Laziok.Trojan.Laziok is acts as a reconnaissance tool that scours infected computers for data including machine name, installed software, RAM size, hard disk size, GPU details, CPU details, and installed antivirus software.
The collected information is then sent to the attackers. Once the attackers received the system configuration data, including details of any installed antivirus software, they then infect the computer with additional malware.
In this campaign, the attackers distributed customized copies of Backdoor.Cyberat and Trojan.Zbot which are specifically tailored for the compromised computer’s profile. We observed that the threats were downloaded from a few servers operating in the US, UK, and Bulgaria.
- %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\search.exe
- %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\ati.exe
- %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\lsass.exe
- %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\smss.exe
- %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\admin.exe
- %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\key.exe
- %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\taskmgr.exe
- %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\chrome.exe
The majority of targets are linked to the petroleum, gas and helium industries. The UAE, Pakistan, Saudi Arabia and Kuwait are most often targeted, but businesses in the US and UK have also experienced attacks.
The initial infection vector involves the use of spam emails coming from the moneytrans.eu domain, which acts as an open relay Simple Mail Transfer Protocol server. These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).
This vulnerability has been exploited in many different attack campaigns in the past, such as Red October. Symantec and Norton products had protection in place against these exploits at the time of the targeted attack as Bloodhound.Exploit.457 and Web Attack: Microsoft Common Controls CVE-2012-0158.
The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market.
