An email spam campaign targeting companies in the petroleum, gas and helium industries has been spotted by Symantec researchers.
Most of them are in the so-called Middle East (UAE, Saudi Arabia, Qatar, Kuwait and Oman), but UK, US, African, Asian, and Latin American companies have also been targeted.
“The initial infection vector involves the use of spam emails coming from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158),” Symantec’s Christian Tripputi explained.
The attachment – an Excel file – would execute the exploit code for the aforementioned vulnerability, and drop a new reconnaissance Trojan with dropper capabilities: Laziok.
The Laziok Trojan would first collect system configuration data: computer name, RAM size, HD size, GPU and CPU details, list of installed software, and especially installed AV software.
This information is sent to the C&C server and, if the target was deemed interesting, Laziok would download customized copies of the Cyberat backdoor and Zbot info-stealer, specifically tailored for the compromised computer’s profile. If not, Laziok would stop further infection.
“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market,” Tripputi pointed out. “However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind.
Whoever was behind this campaign is obviously interested in the affairs of the affected companies. This seems more like economic espionage performed by hackers-for-hire than state-sponsored ones.