Trend Micro has discovered an ongoing series of targeted attacks, known as “LURID,” that have successfully compromised 1465 computers in 61 different countries. We have been able to identify 47 victims including diplomatic missions, government ministries, space-related government agencies and other companies and research institutions.
The countries most impacted by this attack are Russia, Kazakhstan and Vietnam, along with numerous other countries – mainly in the CIS (Commonwealth Independent States – or former Soviet Union).
This particular campaign comprised over 300 malicious, targeted attacks, monitored by the attackers using a unique identifier embedded in the associated malware. Our analysis of the campaigns reveals that attackers targeted communities in specific geographic locations as well as campaigns that targeted specific victims. In total, the attackers used a command and control network of 15 domain names associated with the attackers and 10 active IP addresses to maintain persistent control over the 1465 victims.
The “Lurid Downloader,” often referred to as “Enfal,” is a well-known malware family but it is not a publicly available toolkit that can be purchased by aspiring cybercriminals. This malware family has in the past been used to target both the U.S. government and non-governmental organizations (NGO’s). However, there appear to be no direct links between this particular network and the previous ones.
More and more frequently, targeted malware attacks such as these are being described as Advanced Persistent Threats. A target receives an email message that encourages him or her to open an attached file. The files sent by the attackers contain malicious code that exploits vulnerabilities in popular software programs such as Adobe Reader (e.g. .PDFs) and Microsoft Office (e.g. .DOCs). The payload of these exploits is malware that is silently executed on the target’s computer. This allows the attackers to take control of the computer and obtain data. The attackers may then move laterally throughout the target’s network and are often able to maintain control over compromised computers for extended periods of time. Ultimately, the attacks locate and ex-filtrate sensitive information from the victim’s network.
As is frequently the case, it is difficult to ascertain who is behind this series of attacks because it is easy to manipulate artifacts, e.g. IP addresses and domain name registration, in order to mislead researchers into believing that a particular entity is responsible.
Although our research didn’t reveal precisely which data was being targeted, we were able to determine that, in some cases, the attackers attempted to steal specific documents and spreadsheets.
Through the exposure of the “Lurid” network, we aim to enable a better understanding of the extent and frequency of such attacks as well as the challenges that targeted malware attacks pose for traditional defenses. Defensive strategies can be dramatically improved by understanding how targeted malware attacks work as well as trends in the tools, tactics and procedures of the threat actors behind such attacks. By effectively using threat intelligence derived from external and internal sources combined with security tools that empower human analysts, organizations are better positioned to detect and mitigate such targeted attacks.
Rik Ferguson, director of security research & communication EMEA at Trend Micro, told El Reg that some of the affected sites used Trend Micro's technology, which helped detect the attack. subsequent detective work led researchers back to two command and control servers, hosted by different ISPs (one in the US and one in the UK). Beyond saying the attack was likely to be motivated by cyberespionage, rather than profit, Ferguson was reluctant to speculate on who might be behind the attack or their motives.