Researchers at Symantec have observed that a relatively new data exfiltration software has been put to service in a winter campaign against energy companies in the Middle East.
In a blog post Symantec’s Christian Tripputi reveals that Symantec observed a ‘multi-staged, targeted attack campaign’ against energy companies around the world, between January and February this year – with a distinct emphasis on the Middle East.
Though the central malware has been dubbed ‘Trojan.Laziok’ by Symantec, In fact the Laziok Trojan has been identified and addressed before, with uninstall information widely available at various sites – and would appear to have been picked up as a campaign tool by as-yet unknown actors seeking sensitive information from the energy sector.
Tripputi says “The detailed information enables the attacker to make crucial decisions about how to proceed further with the attack, or to halt the attack. During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,”
The attack begins with spam emails from the moneytrans[.]eu domain. The mails contain an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158),which is executed if the recipient opens the infected Microsoft Excel file attached to the mail.
After this the running Trojan heads straight for Settings\All Users\Application Data\System\Oracle, and creates apparently innocuous folder names to hide copies of itself in. During the process it will also rename itself to hide under the Oracle brand in file listings and the running processes list. Some of the identified refuges are:
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\search.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\ati.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\lsass.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\smss.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\admin.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\key.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\taskmgr.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\chrome.exe
After this Trojan.Laziok initiates reconnaissance, initially collecting config data for the infected machine. The data includes the computer’s name, installed software, hard disk and RAM configurations, GPU and CPU details and any antivirus software that may be attempting to protect the machine.
Having received this data from the Trojan, attackers at C&C additionally infect the host computer with bespoke copies of Trojan.Zbot and Backdoor.Cyberat – possibly the only custom-built software that the victim will have on their PC. The latter is a Remote Administration Tool, granting the controlling actor absolute control over the infected machine, whilst Zbot specifically targets confidential information, including online banking details – however Zbot is a versatile and configurable tool which will have been delivered to the energy companies with specific objectives for the type of information sought.
The report observes that the group who made the attack ‘does not seem to be particularly advanced’, using and adapting commonly-found tools in the malware marketplace – but emphasise equally that the campaign is not necessarily any less effective for that.
Energy companies are now recognised as a prime target for hackers. Last year Symantec revealed a similar cyber-offensive against the energy sector by East European hacker collective Dragonfly. South Korea’s nuclear reactors were the subject of a reconnaissance raid late in 2014, in which certain ‘non-critical’ information was exfiltrated. Last year the Department of Homeland Security’s Computer Emergency Readiness Team identified 79 hacking events at energy companies, whilst hacker cabal Anonymous harmlessly showed their prowess by apparently attacking and modifying gas pump software.