Cyber-Attacks Target Energy FirmsAlthough Focus is Middle East, Trojan Hitting Many Nations
Information security researchers at Symantec warn they have discovered reconnaissance malware, dubbed "Trojan.Laziok," that appears to have been designed to target the energy sector. Researchers say the malware has been distributed via spear-phishing campaigns, and has been successfully exploiting systems using a Windows vulnerability that was discovered and patched by Microsoft in 2012.
See Also: Threat Briefing: Ransomware
"Between January and February , we observed a multi-staged, targeted attack campaign against energy companies around the world, with a focus on the Middle East," says Symantec security response manager Christian Tripputi in a blog post. The Laziok malware "acts as a reconnaissance tool allowing the attackers to gather data about the compromised computers."
Laziok - also known as Dynamer!ac and Fsysna - was first discovered in November 2014. According to anti-virus testing service VirusTotal, 41 out of 56 different anti-virus engines tested are now spotting the latest version of Laziok.
Symantec did not reveal the number of systems that were successfully infected with Laziok. But it says the majority of targeted firms are in the natural gas, petroleum and helium industries, which suggests corporate espionage on the part of competitors, nation states or mercenaries.
"We believe the malware noted by Symantec is a purchasable suite known as Kraken. It is offered in underground markets and used to start and maintain a botnet," threat-intelligence firm iSight Partners says in a research note. "The malware suite could be used by actors with varying motivations, including criminal and espionage-related operations."
Based on the attack infrastructure and Trojans seen by Symantec, the greatest number of PCs targeted in this campaign were in the United Arab Emirates (25 percent of all targeted PCs), followed by Kuwait, Pakistan and Saudi Arabia, which each accounted for about 10 percent of all targets. Meanwhile, PCs in Cameroon, Columbia, India, Indonesia, Oman, Qatar, Uganda, the United Kingdom and the United States each accounted for about 5 percent of all targets.
2012 Windows Flaw Targeted
The Laziok attack campaign proceeds via two stages: First, the attackers have been sending spam emails - which to date have come from the moneytrans.eu domain - that have a malicious attachment, Symantec says, noting that most of the attachments have been Excel files. If the user opens the attachment, the malware attempts to exploit a critical Windows vulnerability in ActiveX, CVE-2012-0158, that can be used to remotely execute code.
That Windows bug was discovered - and patched - by Microsoft in 2012, and affected multiple versions of Microsoft Office and SQL Server, among other products. According to Microsoft, the flaw cannot be automatically exploited, but instead requires some degree of user interaction, or else tricking users into visiting a malicious website that launches a related drive-by attack.
Malware Studies Infected PCs
If the Laziok malware successfully infects a system, it gathers a variety of details, including the computer name, and generates a list of installed software - including anti-malware programs - as well as catalogs the RAM and hard disk sizes, and GPU and CPU details, according to technical teardowns of the malware published by multiple security firms. The collected information then gets transmitted to attackers, who appear to be reviewing that data to decide whether to continue the attack or call it off, Symantec's Tripputi says.
If the attackers proceed with the attack, the second stage involves using Laziok to install off-the-shelf malware - relayed via U.S., U.K. and Bulgaria-based servers - that's been customized for the infected system. Symantec's Tripputi says the customized malware seen to date has included copies of the notorious banking Trojan Zeus - a.k.a. Zbot crimeware toolkit - and the backdoor software known as Cyberat. Both types of malware are built to infect any type of Windows system, and they can also be used as "loaders" to download and install additional types of malware.
Zeus dates from 2010 - although its source code was leaked in 2011, spawning numerous spinoffs. It's designed to steal banking and other personal credentials from infected PCs. Meanwhile, Cyberat, which was first discovered in 2013, can adjust files, capture live audio, record video via the built-in webcam, log keystrokes as well as give attackers direct access to the system.
Old Bugs Still Bite
The energy-sector attack campaign demonstrates how most attackers prioritize using the minimum time, effort and attack-tool sophistication required to get the job done, security experts say. "The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market," Tripputi says. But if businesses fail to patch, that means attackers don't have to employ a scarce - and expensive - zero-day exploit. "From the attacker's perspective, they don't always need to have the latest tools at their disposal to succeed. All they need is a bit of help from the user and a lapse in security operations through the failure to patch," he says.
Philip Lieberman, president of identity and access management software vendor Lieberman Software, says this energy-sector attack campaign highlights "the lack of general preparation of cyberdefense teams in many areas of the oil and gas industry worldwide," which should be blocking these types of exploits outright. "This attack exploits an apparently well-known lack of investment by the oil and gas industry in keeping their Microsoft Office software up to date," he says. "The attack also exhibits sophistication in their targeting of a specific industry - [having a] good email list - as well as an inventory of secondary infection tools."
Red October Redux?
From a bug-targeting standpoint, the same Windows flaw targeted by Laziok has been previously targeted by crimeware toolkits and advanced persistent threat attackers. In particular, the sophisticated Red October APT attacks against diplomatic and government agencies, which began in 2007, also targeted the flaw.
The Red October attacks ceased in January 2013, after Moscow-based anti-virus vendor Kaspersky Lab publicly detailed the attack campaign. But then attacks appeared to resurface in August 2014 with the Cloud Atlas campaign. But it's not clear if Laziok is related in any way to the Red October gang, which security firm Blue Coat said pursued targets that were "located in Russia or related to Russian interests."