Infostealer Laziok targets energy companies
Symantec researchers wrote in a Monday blog post that the malware is being used to target energy sector companies, primarily in the Middle East.
Energy sector companies based in the Middle East are the most recent targets of a reconnaissance campaign aimed at infecting systems to gather information about companies' inner-workings, according to Symantec researchers.
In a blog post on the attacks, the researchers state that the majority of attacks targeted petroleum, gas and helium industries, and that United Arab Emirates-based companies accounted for a quarter of attack attempts. Saudi Arabia, Kuwait, and Pakistan each accounted for 10 percent, as well. U.S. and U.K. targets accounted for five percent each.
The attack begins with a spear phishing email containing an Excel document packaged with an exploit for Microsoft Windows Common Controls ActiveX (CVE-2012-0158), or a vulnerability that has already been patched. If opened, the attachment will drop Trojan.Laziok, which then begins collecting system configuration data.
Collected information can include a computer name, installed software, antivirus software on the computer, and RAM size, among other things.
After gaining this information, the attackers customize their attack based off what antivirus software is installed, and additional malware is deployed, either Backdoor.Cyberat or Trojan.Zbot.
At this point, Satnam Narang, senior security response manager at Symantec said in an interview with SCMagazine.com, the culprits are hard to discern, but he did acknowledge that this iteration of the attacks has been going on since between January and February.
Symantec's post noted that these unknown attackers aren't exercising an extremely sophisticated campaign, especially considering the vulnerability exploited is old and already patched.
“Zero-days are the crown jewel, so to speak,” Narang said. “But exploiting vulnerabilities that have already been patched is very common. It continues because it works.”
Patched systems, in this case, would dismantle the attackers' campaign and keep them out of networks, the post stated.