Malicious actors have abused PowerShell and Google Docs to deliver a Trojan known as Laziok, FireEye reported on Thursday.
Laziok, a reconnaissance tool and information stealer, was first spotted last year when a threat group leveraged the malware in a sophisticated multi-stage attack campaign targeting energy companies in the Middle East. Attackers exploited an old Windows vulnerability tracked as CVE-2012-0158 to drop the Trojan onto users’ systems.
According to FireEye, attackers found a way to bypass Google’s security checks and uploaded the malicious payload to Google Docs. The malware was uploaded in March and remained there until Google was notified by the security firm.
“Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google’s security checks,” researchers said. “Following our notification, Google promptly removed the malicious file and it can no longer be fetched.”
The operation observed by researchers started on the website of a Poland-based hosting service. The attack was initiated by loading obfuscated JavaScript code designed to exploit a Windows vulnerability tracked as CVE-2014-6332 and dubbed “Unicorn.”
When users accessed the attack page from Internet Explorer, the malicious script exploited CVE-2014-6332 via VBScript to bypass protections and enable attackers to use an exploitation method known as “Godmode,” which allows code written in VBScript to break the browser sandbox.
The malicious script then leveraged PowerShell, which has been increasingly abused by cybercriminals, to download the actual malware from Google Docs and execute it.
“PowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory,” FireEye researchers explained in a blog post. “It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks.”
Once it infects a device, Trojan.Laziok collects information about the system, including a list of installed antiviruses.
Related: PowerWare Ransomware Abuses PowerShell, Office Macros
Related: PowerSniff Malware Attacks Abuse Macros, PowerShell