Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

LightsOut EK Targets Energy Sector

March 12, 2014 - 3 min read
Late last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and Intelligence gathering malware.  It would seem that the attackers responsible for this threat are back for more.  This particular APT struck late February between 2/24-2/26.  The attack began as a compromise of a third party law firm which includes an energy law practice known as Thirty Nine Essex Street LLP (www[.]39essex[.]com).  The victim site is no longer compromised, but viewers should show restraint and better browsing practices when visiting.
39essex.com shown as a referral URL to suspicious site.

The compromise leads the victim to another site which provides the attacker with a specific user-agent in the URL field.  The purpose of this is to pass along diagnostics to the attacker so that the proper malicious package is sent to the victim.  This should be taken as a point of identification in administrator logs as this may indicate an attack on your network.
At the time of research, the Java Class file was returning 404.

There are several other locations which show similar activity that are also related to this threat.  Malicious redirects come from IP address 174[.]129[.]210[.]212 should also be taken as suspicious as well as some sites hosted on this domain (aptguide[.]3dtour[.]com).

The URLquery and VirusTotal entries for this IP corroborates the notion that this location played a part in using LightsOut Exploit Kit.  

LightsOut performs several diagnostic checks on the victim's machine to make sure that it can be exploited.  This includes checking the browser and plugin versions.
The deobfuscated Javascript sheds some light on the iframe injection.
More JS Deobfuscation
Checking to see what version of Adobe is installed.
Checking to see if you are IE7.
Checking to see if Java is enabled in the browser.

Ultimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file exploiting CVE-2013-2465. At the time of research, the binary file was no longer available, which suggests that the attack window has now closed for this particular watering hole.  However, other security sources tell us that the site used in the attack is also a known HAVEX RAT CnC.

The recent activity of this threat originating from a site in the energy sector should serve as a warning to those in the targeted industry.  Prior research from other sources tells us that the threat actors involved are highly motivated and agile.  Their motive is to gather intelligence for further attacks, so be on your guard and monitor transaction logs for suspicious activity!
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.