ahsonbol

Detecting Laziok variants using RSA Security Analytics

Blog Post created by ahsonbol on Apr 8, 2015

Last week, Symantec blogged about a new reconnaissance tool used in attacks that target the energy sector with a focus on the Middle East. Laziok, as called by Symantec, is an information stealer that collects configuration data about the compromised machines to help the attackers tailor their attacks against the victims. The collected data include:

  • Computer name
  • Installed software
  • RAM size
  • Hard disk size
  • GPU details
  • CPU details
  • Antivirus software

 

According to the Symantec blog post, the campaign started in January which is about the same time that RSA FirstWatch Malware Analysis systems started processing some of those binaries.The screenshot below shows Laziok activity in our systems between mid-January and late-March:


109985


Digging deeper into the traffic between the infected machines and the C2 domains, there are some observations to make:


109987


The User-Agent string is pretty unique but it is not present in all of the HTTP sessions so it can’t be used to detect all the HTTP GET requests to the C2 domains. However, the directory name and file extensions are unique and seem to be present in all of the related sessions.


Reconstructing one of the sessions using RSA Security Analytics clearly shows the kind of information collected from the infected machine and sent to the C2 domain in the query string:


109986


Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:

action = 'get' && directory = '/panel/includes/' && extension = 'php'

You can find VirusTotal scan results for one Laziok sample here.


All of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.

Outcomes