Reconnaissance malware wave strikes energy sector

Symantec says a new Trojan-based campaign, focused on the Middle East, is targeting the energy industry and its trade secrets.
Written by Charlie Osborne, Contributing Writer

A multi-staged, targeted campaign is striking the international energy sector in order to spy on companies and steal sensitive information.

Between January and February this year, security researchers from Symantec observed the targeted attack campaign focus on "energy companies around the world, with a focus on the Middle East." According to the team, the new campaign uses an information stealer dubbed Trojan.Laziok.

Laziok acts as a reconnaissance tool which allows cyberattackers to infiltrate computer systems and steal data concerning computer systems themselves -- so hackers can choose whether to continue the assault or not -- with the overall aim of finding and stealing trade secrets.

The security firm discovered that the majority of targets are linked to the petroleum, gas and helium industries. The UAE, Pakistan, Saudi Arabia and Kuwait are most often targeted, but businesses in the US and UK have also experienced attacks.


Symantec says the initial attack vector stems from the moneytrans[.]eu domain, which acts as an SMTP server. Emails sent from this domain contain a malicious file containing an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). Once a victim clicks on the email and opens the attachment -- usually in the guise of an Excel file -- Laziok is dropped.

When the Trojan has found its way into a computer system, the malicious code hides itself in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory before renaming itself with well-known and seemingly legitimate names, such as search.exe and chrome.exe. The Trojan then begins to gather system data including computer names, installed software, RAM size, CPU details and antivirus software installation.

This information is then sent to the cyberattackers for processing. Additional malware payloads may then be sent back to the compromised system, which can damage networks or focus on data theft.

Symantec says:

"The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market.
However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind. From the attacker's perspective, they don't always need to have the latest tools at their disposal to succeed.
All they need is a bit of help from the user and a lapse in security operations through the failure to patch."

This is far from the first time the energy industry has been targeted through malware-driven campaigns. A separate campaign, dubbed Shamoon, also targets the energy sector through a malware payload which allows for the theft of information before wiping systems.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards