Researchers discover data-stealing malware targeting energy sector

Security researchers have discovered an espionage campaign that uses customised malware to steal confidential data from energy firms

Security researchers have discovered a multi-stage espionage campaign that uses customised malware to steal confidential data from energy firms.

Dubbed Trojan.Laziok, the malware acts as a reconnaissance tool that allows the attackers to gather data about compromised computers, according to security researchers at Symantec.

The data includes details about installed software, antivirus software, RAM size, hard disk size, central processing unit and graphics processing unit.

The detailed information enables the attackers to make crucial decisions about how to proceed with an attack, or whether to halt the attack, Symantec researcher Christian Tripputi wrote in a blog post.

Tripputi said that, once the attackers receive the system configuration data, they then infect the computer with additional malware – such as versions of Backdoor.Cyberat and Trojan.Zbot, specifically tailored for the compromised computer.

The researchers found that most targets observed in January and February 2015 were linked to the petroleum, gas and helium industries, even though the initial attacks could have been blocked by keeping software and systems up to date.

Read more about cyber threats in the energy sector

Old exploits on unpatched systems

Hackers targeted the United Arab Emirates (UAE) most, followed by Saudi Arabia, Pakistan and Kuwait.

The researcher found energy firms’ computers were infected using spam emails coming from the domain, which acts as an open-relay simple mail transfer protocol (SMTP) server.

These emails include a malicious attachment – typically an Excel file – packed with an exploit for the Microsoft Windows ActiveX control remote code execution vulnerability (CVE-2012-0158).

This vulnerability has been exploited in many different attack campaigns in the past. On esuch was Red October, which infected diplomatic, government, and scientific organisations around the world.

Well-known risks threaten energy companies

When the user opens the email attachment, the exploit code is executed. If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.

The Trojan hides itself in the C:\Documents and Settings\All Users\Application Data\System\Oracle directory, making new folders and renaming itself with well-known file names.

Tripputi said the espionage campaign exploited an old vulnerability and distributed well-known threats available on the underground market.

“However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind,” he said.

This means attackers do not always need to have the latest tools at their disposal to succeed, because they can exploit organisations’ failures to patch software and systems regularly.

Read more on Hackers and cybercrime prevention