Symantec researchers recently uncovered a multi-stage targeted attack campaign that leverages new information stealing malware called Trojan.Laziok to hit energy companies worldwide, with a focus on the Middle East.
One in four targets, Symantec found, are in the United Arab Emirates, 10 percent are in Saudi Arabia, 10 percent in Kuwait, and 10 percent in Pakistan.
“During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” Symantec security response manager Christian Tripputi wrote in a blog post detailing the threat.
The attacks are launched via spam emails coming from the domain moneytrans[dot]eu. Those emails contain an attached Excel file, which executes exploit code targeting a ActiveX vulnerability that’s been used in several other attacks, including the Red October campaign uncovered back in January 2013.
If the exploit is successful, it infects the computer with Trojan.Laziok, which first collects system configuration data and uploads it to the attackers, then downloads additional malware, including customized versions of Backdoor.Cyberat and Trojan.Zbot.
“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market,” Tripputi wrote. “However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind.”
Adam Kujawa, head of malware intelligence at Malwarebytes Labs, told eSecurity Planet by email that the attack clearly demonstrates the importance of updating all software as often as possible. “The attackers utilized an older method of attack,” he said. “This isn’t a new vulnerability they are going after and they really aren’t using any kind of novel method of infection.”
“In reality, their attack is simple and outdated, however for organizations that fail to follow basic security guidelines like updating software running on a secure system, it’s a huge problem that can cost them dearly,” he added.
It’s also worth noting, Kujawa said, that the malware identifies and reports system configuration data. “This has been seen for a while in everything from malware to exploits, but is never super common when talking about in-the-wild malware,” he said. “In reality, we even see drive-by exploits that try to identify browsers, operating systems and vulnerable applications before launching any kind of attack, just to make sure that the target is confirmed, that the attack will be successful and that the attack goes undetected for as long as possible.”
“Our world is full of people using devices, be it PCs or smartphones, so the old methods of just launching an attack and trying to catch as many users as possible is no longer effective and certainly not efficient,” Kujawa added.