Two new malware campaigns have been spotted in the Middle East, according to reports released this week, one targeting energy companies and the other going after political targets in Israel and Lebanon.
Oil, gas and helium
Symantec researchers observed a brand-new information-gathering tool, Trojan.Laziok, this January and February, targeting primarily oil, gas and helium companies in the Middle East.
The United Arab Emirates saw 25 percent of the infections, with other Middle East countries adding up to 30 percent more. Pakistan had 10 percent, and the U.S. and the U.K. had another 10 percent between them.
According to Symantec senior security response manager Satnam Narang, the infection begins with a phishing email that contains an infected attachment — typically, an Excel file.
The attachment uses a known ActiveX exploit to get in, an exploit that has been patched in 2012.
"I know that zero-day vulnerabilities are the crown jewels but what often gets overlooked is that vulnerabilities that have been patched are still regularly leveraged by attackers," said Narang. "Attackers are banking that there are machines out there running unpatched applications, even though patches exist for them."
According to Philip Lieberman, president at Los Angeles-based security vendor Lieberman Software Corp., the recent drop in oil prices has led to a decrease in IT security investment in the oil and gas industry.
"This attack exploits an apparently well-known lack of investment by the oil and gas industry in keeping their Microsoft Office software up to date," he said.
Lieberman said that his company has seen this first-hand.
"In two recent requests for proposals we worked on, the petrochemical companies were unconcerned with the capabilities of the security products they were sourcing, and were only concerned about the price," he said. "In effect they were saying: 'We are from purchasing and we don't care if the solution works.' Unfortunately, security technology is not a commodity like oil."
The exploit code in the attachment then installs the Trojan.Laziok, which collects information about the computer and sends it back to the attackers. That includes information about what kind of anti-virus is present.
"It's a common tactic that we've seen for some time now," said Symantec's Narang. "It's very common for attackers to want to know what antivirus is running on a system. There are services they can go and check if their malware would be detected by a specific antivirus vendor."
Tools that enable malware to evade antivirus detection are easily available, confirmed Joe Barrett, senior security consultant at Lake Mary, Fla.-based Foreground Security. "It means that defense in-depth and the principle of 'least priviledge' are more important than ever."
Network defenders should watch for malicious traffic and be ready to isolate machines suspected of being infected.
Sign up for CIO Asia eNewsletters.