A new cybercriminal group is reportedly targeting global energy sector companies in an effort to collect data on their networked computer systems and decide whether all-out malware attacks are likely to succeed. So far, most of these reconnaissance efforts have focused on corporations in the Middle East, but companies in the United States and the United Kingdom are also on the list. Are energy companies in danger of losing their trade secrets?
According to Tripwire, the new malware attack — known as Trojan.Laziok — starts with a series of spam emails from the moneytrans[.]eu domain, which functions as a type of Simple Mail Transfer Protocol server. If users download and open the attached Excel file, the malware payload activates and the exploit code is executed.
The result is a nasty little bug that hides itself in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory and collects system configuration data that is sent back to attackers. Depending on what is discovered, cybercriminals can choose to send new malware files or simply observe until they find an opening. It’s also worth noting that Laziok can create new folders and rename files in an attempt to hide its presence.
As noted by ZDNet, the bulk of these reconnaissance efforts are focused on the Middle East, with 25 percent of cases cropping up in the United Arab Emirates, 10 percent in Saudi Arabia, 10 percent in Kuwait and 10 percent in Pakistan. The aim doesn’t seem to be total system shutdown or forced failure, but rather finding and capturing trade secrets.
Malware Attacks Are Nothing New
This isn’t the first time energy sector businesses have been targeted. In November 2014 the Regin malware was used to spy on calls and communications routed through company networks, and in June of last year a group called Dragonfly used the Havex malware in an attempt to get booby-trapped apps onto energy sector systems.
While it’s no surprise another set of malware attacks has cropped up, Symantec notes the group behind the new Laziok attack “does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market.”
In other words, they’re aiming for low-hanging fruit and hoping to spy on energy sector companies that haven’t applied patches or updates for problems that are several years old. This is no small issue — Threatpost reported in January that 50 percent of companies still don’t make use of automatic updating and patching tools.
The bottom line for energy sector companies is that there’s no end to malware threats in sight. While the days of attacks targeting critical systems to cause massive power outages or network shutdowns seems to have passed, new attackers are now looking to steal corporate secrets. Laziok is just a warning shot; expect greater firepower in the days to come.