Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2012
    S M T W T F S
    « Aug   Oct »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for September 13th, 2012




    Modified versions of the Enfal malware, which figured prominently in the LURID attacks, were seen to have infected more than 800 systems worldwide. Enfal variants are known to communicate to specific servers that gives potential attackers access and even full control of infected systems.

    We recently uncovered several attacks that used a modified version of Enfal, which have compromised 874 systems in 33 countries. Enfal was the malware used in the LURID targeted attacks, which we documented last September 2011. The malware was also linked to attacks going back to 2006 and possibly even 2002.

    We investigated five command-and-control (C&C) servers related to these attacks and found that there were victim concentrations in Vietnam, Russia and Mongolia.

    These identified targeted victims can be categorized as:

    • Government Ministries and Agencies
    • Military and Defense contractors
    • Nuclear and Energy sectors
    • Space and Aviation
    • Tibetan community

    Here are the top 5 countries that had compromised computers connecting to the five C&C servers. Note that a single compromised system may connect to more than one server.

    C&C (1) {BLOCKED}2.152.14
    Vietnam 394
    Russia 34
    India 19
    China 14
    Bangladesh 11
    C&C (2) {BLOCKED}2.153.79
    Russia 85
    Mongolia 65
    Kazakhstan 32
    United States 19
    India 14
    C&C (3) {BLOCKED}8.175.122
    Mongolia 41
    Russia 14
    China 11
    Philippines 6
    India 5
    C&C (4) {BLOCKED}3.76.90
    Mongolia 42
    Russia 25
    Philippines 5
    China 4
    Brazil 2
    C&C (5) {BLOCKED}2.154.203
    Russia 36
    Kazakhstan 2
    Pakistan 1

    It should be noted, however, that in many cases we were unable to identify a specific victim beyond ISP and country. We are continuously notifying compromised parties via appropriate channels.

    Attacks Using Modified Enfal With Campaign “Tags”

    We found that there were 63 campaign “tags” or codes that the attackers used to keep track of which attack compromised which computers. Here are the top 5 campaign tags.

    Campaign tags
    ynshll 221
    ynsh 113
    mgin 89
    0821zh 40
    ym2012814 38

    During our research, we found that the typical vectors used in the attacks are socially-engineered emails with a malicious attachment.

    The attachment is the malicious document Special General Meeting.doc (detected as TROJ_ARTIEF.JN) that exploits a Microsoft Office vulnerability (CVE-2012-0158) to drop BKDR_MECIV.AF onto targeted computer. The compromised computer begins to communicate with a C&C server through which the attackers can maintain full control of the computer.

    Special General Meeting.doc 2f66e1a97b17450445fbbec36de93daf TROJ_ARTIEF.JN
    datac1en.dll 9801d66d822cb44ea4bf8f4d2739e29c BKDR_MECIV.AF

    The communication between this variant of Enfal and previous ones is different. The names of the files requested on the C&C server have been changed, and so has the XOR value used to encrypt the communications. In addition, all the communication is XORed.

    Previous versions of Enfal have consistently requested “/cg[a-z]-bin/Owpq4.cgi” on the C&C server making it a consistent indicator.

    In addition, we found malicious documents in Russian that also drop the Enfal malware and connect to this network of C&C servers.

    Замысел Кавказ 2012.doc 81f40945554a4d585ea4993e43a493a5
    datac1en.dll 7185411935b5c24d600bd17debc2a0a0

    The samples of this Enfal variant, which connect to the URL path /8jwpc/odw3ux, have used a variety of sub-domains on at least five domain names as C&C servers: {BLOCKED}tast.com,{BLOCKED}eibus.com, {BLOCKED}bfy.com, {BLOCKED}uttons.com and {BLOCKED}offe.com.

    In addition to this Enfal variant, its traditional version remains active as well. However, the modifications made to the traditional Enfal file paths indicate that the attackers are attempting to bypass defense measures such as IDS and network monitoring that match on Enfal’s consistent URL paths.

    Trend Micro Deep Discovery defends against these attacks using a three-level detection scheme:

    • Malware scan (i.e., signature and heuristic) and Sandbox simulation
    • Destination analysis using the Trend Micro Smart Protection Network
    • Rule-based heuristic analysis of network traffic

    Despite the modifications made to the Enfal malware, Deep Discovery is able to heuristically detect and defend against Enfal attacks.


    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

     
    Posted in Malware, Targeted Attacks | Comments Off



    Cybercriminals intending to take your data find various ways through social engineering. For example, in our investigation of what seemed to be a run-of-the mill spam run leading to a pharma site, we’ve uncovered the same points we have raised in our eguide, How Social Engineering Works.

    The spam run starts as an email notification bearing the familiar Facebook blue lines, and the message itself wants the recipient to confirm their account. Such practice is nothing out of the ordinary, as most membership-based sites (even non-social networking ones) send users an email to confirm their membership. The problem in this case, however, is that the email address to which the message was sent to is not affiliated to any Facebook account.

    Further checking on the spam message, it turns out that clicking on the link leads to a fake pharma site:

    While this kind of spam run is certainly not new, further analysis has revealed that this run has the potential to lead to more “evil” kinds of payload.

    Spam runs such as this one are versatile, and can lead to anything – from survey scams to the popular blackhole exploit kit, and can be changed from one to the other very quickly. So the fact that it loads a relatively “harmless” pharma site today, does not guarantee that it will do the same tomorrow.

    Our investigation shows that this spam run is indeed a versatile one. The links in the spammed messages can be redirected to any number of sites, and these sites can lead to differenet kinds of threats such as malware, phishing attacks, and others.

    In order to address this, the Trend Micro Smart Protection Network correlates billions of data that is used to actively identify and block spam, malicious URL, and detect and delete malware. This ensures layers of protections for Trend Micro product users against threats such as this one.

     
    Posted in Social, Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice