An email spam campaign targeting companies in the petroleum, gas and helium industries has been spotted by security researchers. Most of them are in the so-called Middle East (UAE, Saudi Arabia, Qatar, Kuwait and Oman), but UK, US, African, Asian, and Latin American companies have also been targeted. The initial infection vector involves the use of spam emails coming from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). The attachment consists of an Excel file and would execute the exploit code for the aforementioned vulnerability, and drop a new reconnaissance Trojan known as “Laziok” with dropper capabilities. The Trojan would first collect system configuration data such as computer name, RAM size, HD size, GPU and CPU details, list of installed software, and especially installed AV software. The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market.
IT Security News
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street