Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Attackers Use PowerShell, Google Docs to Deliver “Laziok” Trojan

Malicious actors have abused PowerShell and Google Docs to deliver a Trojan known as Laziok, FireEye reported on Thursday.

Malicious actors have abused PowerShell and Google Docs to deliver a Trojan known as Laziok, FireEye reported on Thursday.

Laziok, a reconnaissance tool and information stealer, was first spotted last year when a threat group leveraged the malware in a sophisticated multi-stage attack campaign targeting energy companies in the Middle East. Attackers exploited an old Windows vulnerability tracked as CVE-2012-0158 to drop the Trojan onto users’ systems.

According to FireEye, attackers found a way to bypass Google’s security checks and uploaded the malicious payload to Google Docs. The malware was uploaded in March and remained there until Google was notified by the security firm.

“Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google’s security checks,” researchers said. “Following our notification, Google promptly removed the malicious file and it can no longer be fetched.”

The operation observed by researchers started on the website of a Poland-based hosting service. The attack was initiated by loading obfuscated JavaScript code designed to exploit a Windows vulnerability tracked as CVE-2014-6332 and dubbed “Unicorn.”

When users accessed the attack page from Internet Explorer, the malicious script exploited CVE-2014-6332 via VBScript to bypass protections and enable attackers to use an exploitation method known as “Godmode,” which allows code written in VBScript to break the browser sandbox.

The malicious script then leveraged PowerShell, which has been increasingly abused by cybercriminals, to download the actual malware from Google Docs and execute it.

“PowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory,” FireEye researchers explained in a blog post. “It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks.”

Once it infects a device, Trojan.Laziok collects information about the system, including a list of installed antiviruses.

Related: PowerWare Ransomware Abuses PowerShell, Office Macros

Related: PowerSniff Malware Attacks Abuse Macros, PowerShell

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.