Cybersecurity specialist Symantec has exposed a new kind of malicious software that is being used as part of an ongoing international espionage campaign. The malware, dubbed Trojan.Laziok, has primarily targeted energy companies in the Middle East, though who first deployed it remains unclear.
The attack, first observed in January, starts with an email from a moneytrans.eu domain, which includes what appears to be a Microsoft Excel file. Instead, the attachment activates a backdoor that gives the attacker a crucial view into the target's computer. The details of the infiltration were first made public Monday in a Symantec blog post.
The malware collects information including the computer name, installed software, RAM size, hard disk size, GPU details, CPU details and, perhaps crucially, what antivirus software is installed. Petroleum, gas and helium companies were most frequently targeted in the United Arab Emirates, Saudi Arabia, Pakistan and Kuwait. The United States, United Kingdom, India and other countries were also targeted albeit less frequently.
“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well known threats that are available in the underground market,” Symantec wrote. “From the attacker's perspective, they don't always need to have the latest tools at their disposal to succeed. All they need is a bit of help from the user and a lapse in security operations through the failure to patch [a vulnerability].”
Symantec is continuing to investigate.