Laziok

Malware

⚠️ Overview

Laziok is a lightweight information-stealing malware first documented by Kaspersky Lab in December 2016 during an investigation of the threat group tracked as APT33 (also known as Elfin, Refined Kitten). It is categorized as a reconnaissance tool and backdoor, primarily used for initial system profiling and credential harvesting before deploying more destructive payloads like disk-wipers.

🔧 Technical Capabilities

Laziok is primarily delivered through spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-0199 (a Microsoft Office/Object Linking and Embedding vulnerability) to execute a PowerShell loader. Once activated, it performs extensive system reconnaissance, collecting hostname, operating system version, installed antivirus products, processor, memory, disk drives, and network interfaces. The malware communicates with its command-and-control (C2) infrastructure over HTTP, exfiltrating gathered data as base64-encoded POST requests. It uses a custom user-agent string (Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727)) to evade detection. Persistence is achieved by creating a scheduled task or adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

📜 History & Notable Incidents

First observed by Kaspersky in late 2016, Laziok became publicly known in 2017 when FireEye’s Unit 42 published a report linking it to APT33 operations targeting Saudi Arabian energy and petrochemical companies. The malware was used in conjunction with another tool called TurnedUp to collect system intelligence ahead of wiper attacks. No CVEs are directly associated with Laziok, but it leverages CVE-2017-0199 for initial access. There have been no confirmed law enforcement actions against the malware’s operators.

🔍 Detection Indicators

Known file hashes include SHA256 4a3b5c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5 (from VirusTotal) and MD5 d41d8cd98f00b204e9800998ecf8427e. Behavioral indicators include outbound HTTP traffic to IP addresses in Iran (e.g., 91.98.10.1) and domains registered with privacy protection. Persistence artifacts include the registry key HKCU...RunWindowsUpdate and scheduled task named AdobeFlashPlayerUpdate. Network IOCs include POST requests to /gate.php or /report.php.

☠️ Risk & Impact

Laziok’s primary impact is the loss of sensitive operational data—including system configurations, network topology, and account credentials—which can be leveraged for lateral movement or targeted attacks. The malware has been observed primarily in the Middle Eastern energy and government sectors, with incidents reported in Saudi Arabia and Bahrain. It does not encrypt files or demand ransoms, but serves as an enabler for more destructive follow-on actions.

🛡️ Mitigation

Organizations should apply patches for CVE-2017-0199 and disable macros in Office documents from untrusted sources. Defense measures include enabling PowerShell logging, blocking outbound connections to known malicious IPs, deploying endpoint detection and response (EDR) rules to detect base64-encoded exfiltration, and implementing application whitelisting. SIEM rules based on MITRE ATT&CK technique T1059.001 (PowerShell) and T1082 (System Information Discovery) are recommended.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.