Beware of “Laziok” Trojan Delivered Through Powershell and Google Docs

FireEye, a network security firm based in Milpitas, California, recently issued a report detailing how malevolent hackers are using Google Docs and PowerShell to transmit a Trojan virus referred to as “Laziok”. Anyone who owns or manages a business should be aware of this Trojan attack. Even those who use personal computers at home for non-business purposes are vulnerable to the attack as well.

Google Docs

About the Laziok Trojan Attack

The Laziok Trojan was first identified a year ago when employed in a multi-tiered attack against energy companies across the Middle East. The virus was actually pinpointed on a Polish hosting service website used by those energy businesses. Laziok is best described as a combination of a program that steals information and a reconnaissance tool. The malware was employed through a threat group’s exploitation of an antiquated Windows weakness tracked with the label of “CVE-2012-0158”. This vulnerability implements the Trojan directly onto users’ computers.

Google Docs and Laziok

The FireEye report indicates that hackers apparently devised a highly creative method of bypassing Google’s stringent security checks. The hackers then uploaded the Laziok Trojan to Google Docs. The malware was originally uploaded last March and remained in place until FireEye made Google aware of its presence. Google regularly scans and blocks potentially harmful content on Google Docs to prevent such malware from harming its customers’ computing devices. It was widely assumed that Google Docs users would not be able to download malicious files from the popular file sharing / editing service until Laziok hit. It is clear that the malware found a way to slide in past Google’s extensive security scans. Thankfully, the malicious file has been successfully removed by Google so that users can no longer fetch it.

How the Laziok Trojan Attack Occurs

The attack was launched by uploading a highly complicated JavaScript code to take advantage of the aforementioned Windows vulnerability that is now being referred to as “Unicorn”. A VBScript was used to exploit the vulnerability upon users’ requests to access the particular page in question through the popular web browser Internet Explorer. Attackers relied on a means of exploitation referred to as “Godmode” that permits code written with VBScript to compromise the web browser’s sandbox. The script then proceeds to leverage Microsoft Windows’ PowerShell, a management program that automates and configurates computing tasks. PowerShell has been regularly abused by cyber thieves, especially throughout the past couple of years. PowerShell is used to download the Laziok Trojan from Google Docs and promptly execute it. This management framework is also favored by hackers as it is able to quickly and easily evade anti-virus software as it injects payloads right into memory. After infecting a computing device, Laziok proceeds to gather extensive information about the system including all of its antivirus programs.

IT Assistance for Small to Medium Sized Businesses

PC Tech Support is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at 0818 333 -949 or send us an email at info@pctechsupport.ie for more information.