Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Modified versions of the Enfal malware, which figured prominently in the LURID attacks, were seen to have infected more than 800 systems worldwide. Enfal variants are known to communicate to specific servers that gives potential attackers access and even full control of infected systems.

    We recently uncovered several attacks that used a modified version of Enfal, which have compromised 874 systems in 33 countries. Enfal was the malware used in the LURID targeted attacks, which we documented last September 2011. The malware was also linked to attacks going back to 2006 and possibly even 2002.

    We investigated five command-and-control (C&C) servers related to these attacks and found that there were victim concentrations in Vietnam, Russia and Mongolia.

    These identified targeted victims can be categorized as:

    • Government Ministries and Agencies
    • Military and Defense contractors
    • Nuclear and Energy sectors
    • Space and Aviation
    • Tibetan community

    Here are the top 5 countries that had compromised computers connecting to the five C&C servers. Note that a single compromised system may connect to more than one server.

    C&C (1) {BLOCKED}2.152.14
    Vietnam 394
    Russia 34
    India 19
    China 14
    Bangladesh 11
    C&C (2) {BLOCKED}2.153.79
    Russia 85
    Mongolia 65
    Kazakhstan 32
    United States 19
    India 14
    C&C (3) {BLOCKED}8.175.122
    Mongolia 41
    Russia 14
    China 11
    Philippines 6
    India 5
    C&C (4) {BLOCKED}3.76.90
    Mongolia 42
    Russia 25
    Philippines 5
    China 4
    Brazil 2
    C&C (5) {BLOCKED}2.154.203
    Russia 36
    Kazakhstan 2
    Pakistan 1

    It should be noted, however, that in many cases we were unable to identify a specific victim beyond ISP and country. We are continuously notifying compromised parties via appropriate channels.

    Attacks Using Modified Enfal With Campaign “Tags”

    We found that there were 63 campaign “tags” or codes that the attackers used to keep track of which attack compromised which computers. Here are the top 5 campaign tags.

    Campaign tags
    ynshll 221
    ynsh 113
    mgin 89
    0821zh 40
    ym2012814 38

    During our research, we found that the typical vectors used in the attacks are socially-engineered emails with a malicious attachment.

    The attachment is the malicious document Special General Meeting.doc (detected as TROJ_ARTIEF.JN) that exploits a Microsoft Office vulnerability (CVE-2012-0158) to drop BKDR_MECIV.AF onto targeted computer. The compromised computer begins to communicate with a C&C server through which the attackers can maintain full control of the computer.

    Special General Meeting.doc 2f66e1a97b17450445fbbec36de93daf TROJ_ARTIEF.JN
    datac1en.dll 9801d66d822cb44ea4bf8f4d2739e29c BKDR_MECIV.AF

    The communication between this variant of Enfal and previous ones is different. The names of the files requested on the C&C server have been changed, and so has the XOR value used to encrypt the communications. In addition, all the communication is XORed.

    Previous versions of Enfal have consistently requested “/cg[a-z]-bin/Owpq4.cgi” on the C&C server making it a consistent indicator.

    In addition, we found malicious documents in Russian that also drop the Enfal malware and connect to this network of C&C servers.

    Замысел Кавказ 2012.doc 81f40945554a4d585ea4993e43a493a5
    datac1en.dll 7185411935b5c24d600bd17debc2a0a0

    The samples of this Enfal variant, which connect to the URL path /8jwpc/odw3ux, have used a variety of sub-domains on at least five domain names as C&C servers: {BLOCKED},{BLOCKED}, {BLOCKED}, {BLOCKED} and {BLOCKED}

    In addition to this Enfal variant, its traditional version remains active as well. However, the modifications made to the traditional Enfal file paths indicate that the attackers are attempting to bypass defense measures such as IDS and network monitoring that match on Enfal’s consistent URL paths.

    Trend Micro Deep Discovery defends against these attacks using a three-level detection scheme:

    • Malware scan (i.e., signature and heuristic) and Sandbox simulation
    • Destination analysis using the Trend Micro Smart Protection Network
    • Rule-based heuristic analysis of network traffic

    Despite the modifications made to the Enfal malware, Deep Discovery is able to heuristically detect and defend against Enfal attacks.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice