Researchers have uncovered a series of cyber-attacks
targeting government agencies and research institutions around the world. But unlike
recent high-profile incidents, China has not been blamed.
Attackers targeted 47 victims including space-related
government agencies, diplomatic missions, research institutions and companies
located in 61 countries, including Russia, India, Mongolia, Vietnam and the Commonwealth
of Independent States (former Soviet Union countries), Trend Micro researchers
wrote in a Sept. 22 blog. Trend Micro classified the attack as an advanced
persistent threat and said a total of 1,465 computers had been targeted,
including the ones belonging to the Russian Federal Space Agency.
Dubbed “Lurid,” these attacks do not appear be
very different from other recent stealth cyber-campaigns, such as Shady RAT,
Aurora and Night Dragon. Employees received malicious emails designed to
exploit vulnerabilities in unpatched software, most often Adobe Reader and
Microsoft Office, wrote David Sancho and Nart Villeneuve, senior threat
researchers at Trend Micro.
The malicious attachments did not always rely upon zero-day
vulnerabilities, but used older, reliable exploits going as far back as 2009.
The zero-days were saved for “hardened targets,” but Trend Micro has
not yet come across those emails.
“In total, the attackers used a command and control
network of 15 domain names associated with the attackers and 10 active IP
addresses to maintain persistent control over the 1,465 victims,” Sancho
and Villeneuve wrote.
The Enfal malware family has been used to attack government
and non-governmental organizations in the United States working with the
Tibetan community in the past. However, there appear to be no direct links
between this particular attack and the previous ones, Sancho and Villeneuve
The attacks appear to have started in August 2010 and the
malicious emails were sent in “waves.” Logfiles intercepted by
Trend Micro identified at least 301 waves of discrete mail campaigns because
each malware sent back a “marker” to the CC servers to identify
itself. A little over half, or 59 percent, were directed toward unique hosts.
Once one machine had been compromised inside an organization, the attackers
used it as a jumping-off point to infect other machines on the network.
One version of the malware installed itself as a Windows
service and the other version added itself to the Windows start-up routine. The
malware also allowed attackers to gain shell access to issue a variety of
commands on the compromised system.
In the Lurid campaign, once a system was compromised,
attackers used the “Enfal” downloader Trojan to steal spreadsheets,
documents and other information. Enfal has been around since at least 2006, but
it is not commonly sold on underground criminal forums.
Stolen documents were uploaded to Websites hosted on
command-and-control servers located in the United States and the United Kingdom.
This doesn’t mean the attackers were based in the United States or UK as attackers can
hide their tracks by compromising servers anywhere in the world and using tools
such as virtual private networks (VPN) to mislead investigators. In recent
cyber-attacks, such as “Shady RAT,” China was often blamed just
because the command-and-control servers appeared to be based in China.
Trend Micro has gained access to the logfiles on the cc
server but did not access the server directly. Nor has it discovered the actual
stolen files. A non-governmental organization working on Tibet-related projects
submitted the initial malware to Trend Micro for analysis in March.
Trend Micro has notified the Federal Bureau of Investigation
and the Metropolitan Police Central eCrime Unit.