Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - David Sancho and Nart Villeneuve (Senior Threat Researchers)

    Determining who is ultimately behind targeted attacks is difficult. It requires a combination of technical and contextual analysis as well as the ability to connect disparate pieces of information together over a period of time. Moreover, any one researcher typically does not necessarily have all of these pieces of information and must interpret the available evidence. Too often, attribution is solely based on easily spoofed evidence such as IP addresses and domain name registrations.

    This post is a follow-up to the post we published yesterday. It presents some background information on the LURID attacks and on their relationship with previous Enfal attacks in order to provide some context to this case.

    Interestingly, while previous Enfal attacks have been attributed to China, in this case, the IP addresses of the command-and-control (C&C) servers were located in the United States and in the United Kingdom. However, the registration information of the domain names used indicates that their owners are from China. In either case, this information is not difficult to manipulate. Neither of these two artifacts taken on their own is sufficient to determine attribution.

    The History of Enfal

    The history of this malware combined with the nature of some of its target victims do provide some clues. The malware used in the “Lurid Downloader” attacks is commonly known as Enfal and has been used in targeted attacks as far back as 2006. In 2008, Maarten Van Horenbeeck documented a series of targeted malware attacks that made use the Enfal Trojan to target government organizations, nongovernmental organizations (NGOs), as well as defense contractors and U.S. government employees.

    In 2009 and 2010, researchers from the University of Toronto published reports on two cyber espionage networks known as GhostNet and ShadowNet, which included malware and C&C infrastructure connected to the Enfal Trojan. In addition, the domain names Enfal used as C&C servers are, according to U.S. diplomatic cables and leaked to WikiLeaks, linked to a series of attacks known as “Byzantine Hades.” According to these leaked cables, this set of threat actors has been active since 2002 and has activity subsets known as Byzantine Anchor, Byzantine Candor, and Byzantine Foothold.

    Notably, other than the use of Enfal itself, there appears to be several distinct sets of C&C infrastructure in use and the relationship among those operating these separate infrastructure remains unclear.

    Read the rest of this entry »


    Trend Micro has discovered an ongoing series of targeted attacks known as “LURID,” which has successfully compromised 1,465 computers in 61 different countries. We have been able to identify 47 victims, including diplomatic missions, government ministries, space-related government agencies, as well as other companies and research institutions.

    The countries most impacted by this attack include Russia, Kazakhstan, and Vietnam, along with numerous other countries mainly Commonwealth independent states (in the former Soviet Union).

    This particular campaign comprised over 300 malicious targeted attacks that were monitored by the attackers using a unique identifier embedded in the associated malware. Our analysis of the campaigns reveals that attackers targeted communities in specific geographic locations as well as specific victims. In total, the attackers used a command-and-control (C&C) network of 15 domain names and 10 active IP addresses to maintain persistent control over the 1,465 victims.

    The Lurid Downloader, often referred to as Enfal, is a well-known malware family. It is, however, not created with a publicly available toolkit that can be purchased by any aspiring cybercriminal. This malware family has, in the past, been used to target both the U.S. government and nongovernmental organizations (NGOs). However, there appear to be no direct links between this particular network and previous ones.

    More and more frequently, targeted malware attacks such as these are being described as advanced persistent threats. A target receives an email that encourages him/her to open an attached file. The file sent by the attackers contain malicious code that exploits vulnerabilities in popular software such as Adobe Reader (e.g., .PDFs) and Microsoft Office (e.g., .DOCs).

    The payload of these exploits is a malware that is silently executed on the target’s computer. This allows the attackers to take control of the computer and to obtain data. The attackers may then laterally move throughout the target’s network and often maintain control over compromised computers for extended periods of time. Ultimately, the attacks locate and exfiltrate sensitive information from the victim’s network.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice