Security researchers have discovered a multi-stage espionage campaign that uses customised malware to steal confidential data from energy firms.
Dubbed Trojan.Laziok, the malware acts as a reconnaissance tool that allows the attackers to gather data about compromised computers, according to security researchers at Symantec.
The data includes details about installed software, antivirus software, RAM size, hard disk size, central processing unit and graphics processing unit.
The detailed information enables the attackers to make crucial decisions about how to proceed with an attack, or whether to halt the attack, Symantec researcher Christian Tripputi wrote in a blog post.
Tripputi said that, once the attackers receive the system configuration data, they then infect the computer with additional malware – such as versions of Backdoor.Cyberat and Trojan.Zbot, specifically tailored for the compromised computer.
The researchers found that most targets observed in January and February 2015 were linked to the petroleum, gas and helium industries, even though the initial attacks could have been blocked by keeping software and systems up to date.
Old exploits on unpatched systems
Hackers targeted the United Arab Emirates (UAE) most, followed by Saudi Arabia, Pakistan and Kuwait.
The researcher found energy firms’ computers were infected using spam emails coming from the moneytrans.eu domain, which acts as an open-relay simple mail transfer protocol (SMTP) server.
These emails include a malicious attachment – typically an Excel file – packed with an exploit for the Microsoft Windows ActiveX control remote code execution vulnerability (CVE-2012-0158).
This vulnerability has been exploited in many different attack campaigns in the past. On esuch was Red October, which infected diplomatic, government, and scientific organisations around the world.
Well-known risks threaten energy companies
When the user opens the email attachment, the exploit code is executed. If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.
The Trojan hides itself in the C:Documents and SettingsAll UsersApplication DataSystemOracle directory, making new folders and renaming itself with well-known file names.
Tripputi said the espionage campaign exploited an old vulnerability and distributed well-known threats available on the underground market.
“However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind,” he said.
This means attackers do not always need to have the latest tools at their disposal to succeed, because they can exploit organisations’ failures to patch software and systems regularly.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK