Laziok: the New Trojan Threatening the Energy Sector

During the months of January and February 2015, several companies belonging to the energy sector (in particular, companies in the Oil&Gas sector located in the Middle East) suffered attacks perpetrated by a Trojan discovered and named Laziok by Symantec, which allows the attacker to access confidential information stored on the compromised machines.

The attack vector used by Laziok is again Spear Fishing, in particular, through sending emails using a SPAM server.

The email received by the victim contains an Excel file, which, when opened, causes the Lazaiock Trojan to infect the machine. The malware hides on the machine by changing its name from time to time and can be found in one of the following directories:

• %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxsearch.exe
• %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxati.exe
• %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxlsass.exe
• %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxsmss.exe
• %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxadmin.exe
• %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxkey.exe
• %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxtaskmgr.exe
• %SystemDrive%Documents and SettingsAll UsersApplication DataSystemOracleazioklmpxchrome.exe

The vulnerability that Laziok exploits is (CVE-2012-0158) Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability, which mainly affects Microsoft SQL servers. This vulnerability had already been used by another type of APT, Red October.

The process followed by the Trojan after residing on the machine is as follows:

1. Sends information to the attacker about the infected machine: machine name, software installed, RAM size, CPU and GPU details, and type of antimalware installed.

2. The attacker uses this information to perform a second infection by distributing payloads called Backdoor.Cyberat and Trojan.Zbot. from a C&C (located in the USA, United Kingdom, and Bulgaria).

Currently, some manufacturers such as Symantec or Norton have already launched specific solutions to prevent the Laziok attack. In any case, below we list some recommendations that help to avoid the attack of this type of threat:

• Avoid opening emails, files and/or accessing links from dubious sources.
• Use antimalware solutions that incorporate protection against vulnerabilities.
• Segment and fortify networks.
• Maintain a correct software update policy.