GMA Brandtalk
Tracking
Archives
'Lurid' targeted attacks hit 61 countries
An ongoing series of targeted attacks on 47 government agencies and private institutions known as “Lurid" has compromised 1,465 computers in 61 countries, a computer security firm said Friday. Trend Micro said the 47 victims included diplomatic missions, government ministries, space-related government agencies and other firms and research institutions. “This particular campaign comprised over 300 malicious, targeted attacks, monitored by the attackers using a unique identifier embedded in the associated malware. Our analysis of the campaigns reveals that attackers targeted communities in specific geographic locations as well as campaigns that targeted specific victims," it said in a blog post. It described the attacks as “Advanced Persistent Threats (APTs)." Countries most impacted by this attack include Russia, Kazakhstan and Vietnam, and countries mainly in the Commonwealth of Independent States (CIS), the former Soviet Union, it said. Trend Micro said the attackers used a command-and-control network of 15 domain names associated with the attackers and 10 active IP addresses to keep control over the 1,465 victims. It said the “Lurid Downloader," often referred to as “Enfal," is a well-known malware family but it is not a publicly available toolkit. “Lurid" had been used to target both the U.S. government and non-governmental organizations (NGOs). But in this case, Trend Micro said there appear to be no direct links between this particular network and the previous ones. APT targetting In an APT, a target receives an email message that encourages him or her to open an attached file. The files sent by the attackers contain malicious code that exploits vulnerabilities in popular software such as Adobe Reader (PDF) and Microsoft Office (DOC). Once activated, the malware silently executes on the target computer and allows the attackers to take control of the computer and obtain data. “The attackers may then move laterally throughout the target’s network and are often able to maintain control over compromised computers for extended periods of time. Ultimately, the attacks locate and ex-filtrate sensitive information from the victim’s network," Trend Micro said. In the case of “Lurid," Trend Micro said the malware is executed on the victims system, and connects to the same network of command-and-control (C&C) servers. The malware employs two persistence mechanisms: One maintains its persistence by installing itself as a Windows service, while the other copies itself to the system folder and changes the common startup folder of Windows to a special one it creates, then copies all the usual auto-start items there, as well as itself. Once in place, the malware collects information from compromised computers and sends it to the C&C server via HTTP POST. The attackers are thus able to issue commands to the compromised computers. “These commands allow the attackers to send and receive files as well as activate an interactive remote shell on compromised systems. The attackers typically retrieve directory listings from the compromised computers and steal data (such as specific .XLS files)," Trend Micro said. Top 10 victim countries Citing the information recovered from the command-and-control servers, Trend Micro said there were 1,465 unique hosts (hostname+mac address as stored by the C&C) and 2,272 unique external IP addresses. The top 10 countries of infected computers include:
- Russia: 1063 Kazakhstan: 325 Ukraine: 102 Vietnam: 93 Uzbekistan: 88 Belarus: 67 India: 66 Kyrgystan: 49 Mongolia: 42 CN: 39
