• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Trend Micro Exposes LURID APT

Trend Micro Exposes LURID APT

  • Posted on:September 22, 2011 at 7:51 am
  • Posted in:Exploits, Malware, Targeted Attacks
  • Author:
    David Sancho and Nart Villeneuve (Senior Threat Researchers)
15

Trend Micro has discovered an ongoing series of targeted attacks known as “LURID,” which has successfully compromised 1,465 computers in 61 different countries. We have been able to identify 47 victims, including diplomatic missions, government ministries, space-related government agencies, as well as other companies and research institutions.

The countries most impacted by this attack include Russia, Kazakhstan, and Vietnam, along with numerous other countries mainly Commonwealth independent states (in the former Soviet Union).

This particular campaign comprised over 300 malicious targeted attacks that were monitored by the attackers using a unique identifier embedded in the associated malware. Our analysis of the campaigns reveals that attackers targeted communities in specific geographic locations as well as specific victims. In total, the attackers used a command-and-control (C&C) network of 15 domain names and 10 active IP addresses to maintain persistent control over the 1,465 victims.

The Lurid Downloader, often referred to as Enfal, is a well-known malware family. It is, however, not created with a publicly available toolkit that can be purchased by any aspiring cybercriminal. This malware family has, in the past, been used to target both the U.S. government and nongovernmental organizations (NGOs). However, there appear to be no direct links between this particular network and previous ones.

More and more frequently, targeted malware attacks such as these are being described as advanced persistent threats. A target receives an email that encourages him/her to open an attached file. The file sent by the attackers contain malicious code that exploits vulnerabilities in popular software such as Adobe Reader (e.g., .PDFs) and Microsoft Office (e.g., .DOCs).

The payload of these exploits is a malware that is silently executed on the target’s computer. This allows the attackers to take control of the computer and to obtain data. The attackers may then laterally move throughout the target’s network and often maintain control over compromised computers for extended periods of time. Ultimately, the attacks locate and exfiltrate sensitive information from the victim’s network.

Dissecting the Attack

Advanced: This is a series of ongoing targeted attack campaigns that made use of a variety of exploits for Adobe Reader, including for CVE-2009-4324 and CVE-2010-2883, as well as compressed .RAR files containing malicious screensavers.

Regardless of attack vector, a LURID malware is executed on the victim’s system, causing it to connect to the same network of C&C servers. Attackers do not always rely on zero-day exploits but frequently use older, reliable exploits and save their zero-day exploits for hardened targets. While we still have to locate samples that contain zero-day exploits, the campaign identifiers used by the attackers do make reference to the use of such exploits.

Persistent: In the course of conducting research, we found two different persistence mechanisms that the malware employed. While one version maintained persistence by installing itself as a Windows service, another version copies itself to the system folder and ensures persistence by changing the common startup folder to a specially crafted one. It then copies all of the usual autostart items into this folder, along with a copy of itself. We’ve also been able to organize the malware and victims by campaign (the malware communicate back a “marker,” much like one included in an advertising campaign) to keep track of who was infected by which malware.

Threat: The malware collects information from compromised computers and sends it to the C&C server via HTTP POST. Through communication with the C&C servers, the attackers are able to issue a variety of commands to compromised computers. These commands allow the attackers to send and receive files as well as to activate an interactive remote shell on compromised systems. The attackers typically retrieve directory listings from the compromised computers and steal data (e.g., specific .XLS files). Trend Micro researchers were able to retrieve some of the commands but do not have actual files.

In numbers, based on the information recovered from the C&C servers, we can confirm that there were:

  • 1,465 unique hosts (host name + MAC address as stored by the C&C)
  • 2,272 unique external IP addresses

The top 10 countries based on number of victims (2,272 IP addresses) were:

RUSSIA 1063
KAZAKHSTAN 325
UKRAINE 102
VIETNAM 93
UZBEKISTAN 88
BELARUS 67
INDIA 66
KYRGYSTAN 49
MONGOLIA 42
CHINA 39

As is frequently the case, it is difficult to ascertain who is behind this series of attacks because it is easy to manipulate artifacts (e.g., IP addresses and domain name registration details) in order to mislead researchers into believing that a particular entity is responsible.

Although our research didn’t precisely reveal which data was targeted, we were able to determine that, in some cases, the attackers attempted to steal specific documents and spreadsheets.

Through the exposure of the Lurid network, we aim to enable better understanding of the extent and frequency of such attacks as well as the challenges that targeted malware attacks pose for traditional defenses.

Defensive strategies can be dramatically improved by understanding how targeted malware attacks work as well as trends in the tools, tactics, and procedures of the threat actors behind such attacks. By effectively using threat intelligence derived from external and internal sources, combined with security tools that empower human analysts, organizations are better positioned to detect and mitigate targeted attacks.

For more information on this attack, you can check out our research paper, “The ‘LURID’ Downloader.”

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.