Win32/Laziok malware – Cybersecurity research

This topic it is about Win32 / Laziok malware.
It does not matter where I found it.
His hidden activity is very intense. Seeks to install itself, wants to cancel the antivirus, modify the Registry, scans for instaled softwares…etc.
The .exe file has the smss name and with the same name I found it in other AV report. Seems that was detected and named as Win32/Laziok on 01.2015 for the first time, but noone has made a clear report about it.

After running the backdoored software… the smss.exe starts running in backgound creating a good environment.

Scans the whole system to find the computer protection software.

The smss infected file it is hidden on \Application Data\System\Oracle directory, but super hidden.
Easy to ignore becouse the original smss.exe is a windows process.

Tries to connect to a server where it is located the swoleoil.co domain.

• URL: hxxp:///http://87.121.52.228/panel/includes/verif.php
  TYPE: GET
  USER AGENT: None
• Organization Neterra Ltd.
• Country Bulgaria

• Detection ratio: 43 / 67 at this moment.
• MD5 0947e4f35f823b37fd8352e643d6cf8c
• SHA1 79b183a761470c3e3662ab64004072c70131a815

• hxxp://87.121.52.228/panel/includes/country.php
• hxxp://87.121.52.228/panel/includes/idcontact.php
• hxxp://87.121.52.228/panel/includes/post.php
• hxxp://87.121.52.228/panel/includes/verif.php
• hxxp://87.121.52.228/panel/includes/chromix.exe

Domain:swoleoil.co

Registrar:Key-Systems GmbH

Registration Date:2014-05-08

Expiration Date:2018-05-07

Updated Date:2017-06-22

Status:ok

Name Servers: carter.ns.cloudflare.com/gwen.ns.cloudflare.com

The server seems to be empty at this time.
That’s all about this malware.

Source:Prodefence.org

Have fun & Stay safe!