There’s a new information stealer online -- and it’s targeting energy companies. It’s called Trojan.Laziok and it acts as a reconnaissance tool that allows attackers to gather information and custom tailor attack methods for each compromised computer, according to security research firm Symantec.
Symantec Security Response manager Christian Tripputi said the stolen information lets the hacker make important decisions about the next phase of the attack or stop the attack altogether.
“During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected," he said.
6 Best Practices
The attackers work through spam e-mails originating from the MoneyTrans.eu domain. The e-mails carry a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), Symantec reported. The exploit code is activated when a user opens the e-mail attachment.
“This vulnerability has been exploited in many different attack campaigns in the past, such as Red October,” Tripputi said. “Symantec and Norton products had protection in place against these exploits at the time of the targeted attack as Bloodhound.Exploit.457 and Web Attack: Microsoft Common Controls CVE-2012-0158.”
After the malware collects the information, attackers can use it to infect the computer with more malware. In a campaign Symantec researched from January to February, the attackers distributed customized copies of Backdoor.Cyberat and Trojan.Zbot. Tripputi said both are tailored for the compromised computer’s profile.
Symantec offers six best practices to protect computer systems from the attack: avoid clicking on links in unsolicited, unexpected, or suspicious e-mails; avoid opening attachments in unsolicited, unexpected, or suspicious e-mails; use comprehensive security software to protect yourself from this type of attack; take a security layered approach for better protection; keep your security software up to date; and apply patches for installed software on a timely basis.
What This Attack Says
We caught up with cybersecurity expert Philip Lieberman, president of Lieberman Software, a security software developer, to get his thoughts on the malware. He told us attacks today have to be analyzed not so much from the tools and exploits used, but more from the sophistication of the targeting as well as the economics of the tools used.
“Just as a company looks at the ROI of their offerings, attackers attempt to use the most inexpensive tools possible to achieve the greatest ROI,” Lieberman said. “This attack exploits an apparently well-known lack of investment by the oil and gas industry in keeping their Microsoft Office software up to date.”
Lieberman warned that the attack is also sophisticated in the way it targets a specific industry, as well as an inventory of secondary infection tools. The attack exposes the lack of general preparation of cyberdefense teams in many areas of the oil and gas industry worldwide, he said.
“Preceding the reduction in the price of oil worldwide, we have seen a general decrease in IT security investments within the oil and gas industry,” Lieberman said. “The dismantlement of IT oil and gas defenses and underfunding was picked up by the attackers and gives them great advantage over their targets.”