A new Trojan-based campaign is targeting energy companies around the world in an effort to gain access to sensitive information.
The majority of companies experiencing attacks are distinctly linked to the petroleum, gas and helium industries located in the Middle East – including UAE, Pakistan, Saudi Arabia and Kuwait. However, businesses in the US and UK have also been targeted.
Known as Trojan.Laziok, the campaign acts as a reconnaissance tool, allowing attackers to gather information on the compromised devices in order to decide how to proceed with the attack.
“The initial infection vector involves the use of spam emails coming from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) Server,” explained Symantec security response manager Christian Triputti in a blog post.
These emails include a malicious attachment, typically in the form of an Excel file, with an exploit code to the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). If the recipient opens the infected file, the exploit code is executed.
Triputti adds the Trojan hides itself in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory, making new folders and renaming itself with other well-known file names, such as search.exe and admin.exe.
In the reconnaissance process, Trojan.Laziok is known to collect system configuration data, including installed antivirus software, which is then sent to attackers.
Additional malware payloads may then be delivered back to the compromised systems, which can cause damage to networks or attempt to exfiltrate other valuable data.
According to Tripputti, the group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market.
Nonetheless, thousands of vulnerabilities go un-patched and cybercriminals are well-aware of the opportunities this may bring.
“From the attacker’s perspective, they don’t always need to have the latest tools at their disposal to succeed. All they need is a bit of help from the user and a lapse in security operations through the failure to patch.”
“Whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” said Tripputi.