Last week we reported on the ‘Lurid' attack that had impacted users in Russia and former Soviet states.
Following that report, Trend Micro published a whitepaper on the attack that successfully compromised 1,465 computers in 61 different countries. According to authors Nart Villenueve and David Sancho, the campaign was named ‘Lurid Downloader' due to the name that the attackers gave to their malware, although the malware is typically known as ‘Enfal'.
The whitepaper said: “The threat actors behind ‘Lurid Downloader' launched 301 malware campaigns targeting entities in speciﬁc countries or geographic regions and tracked the success of each campaign by embedding a unique identiﬁer in each instance of malware and associating it with speciﬁc victims.
“While some campaigns resulted in numerous victims, others were very speciﬁc and targeted resulting in only one or two victims. While previous Enfal activity has been typically associated with threat actors in China, it remains unclear who is behind the Lurid Downloader attacks.”
Trend Micro reported that the Enfal malware has been used in targeted attacks as far back as 2006, and other than the use of that malware, there appears to be several distinct sets of command and control (C&C) infrastructure in use.
It uncovered a C&C network that consists of 15 domain names and ten IP addresses and was able to retrieve a listing of the compromised computers connecting to these servers. Of the 1,465 unique hosts found, there were 2,272 unique external IP addresses connecting to the C&C network that were in Russia (1063), Kazakhstan (325) and Ukraine (102), along with numerous other countries in the former Soviet Union.
To infect users, the delivery mechanism was a blank email with a malicious PDF attached that was spoofed to appear to be from the ofﬁce of the Dalai Lama. It also found that nearly 60 per cent of the campaigns only affected one or two victims, which it said indicated the precision with which they were conducted.
If the recipient opened the attachment with an older version of Adobe Reader, malicious code was executed that dropped malware on the target's system. The malware then connected to a C&C server under the attacker's control, compromising the target's computer. From here it collected the computer name, MAC address, OS and version, IP address and codepage and the language of the OS, and sent them back via HTTP POST.
The whitepaper said: “It constantly communicates with a C&C server to perform certain info-stealing tasks. The main feature of the Trojan is that all communication is started by the client by HTTP, so firewalls and other security devices will never see any communication from outside in.”
What struck me about this particular report was the scale of the attack, with so few impacts in so many countries. David Harley, senior research fellow at ESET, said: “There does seem to be a pattern to some of the compromised sites (political/diplomatic, research), but I'm not convinced that this is a highly targeted attack from a single source. Rather, it looks to me like a series of targeted attacks using a common mechanism.
“There has been speculation on the fact that China is one of the targeted countries, suggesting that China isn't a prime mover, despite the fact that many of the targets are obviously of interest to China. But then, China is obviously also of interest to China, not least when it comes to dissident movements within and outside its borders.
“I think it could be misleading to draw too many conclusions from the statistics: after all, two or three of those computers seem to have been in Russia and many of the others belong to its near neighbours. So there's certainly targeting, but the exact nature of the targeting is less clear.”
Luis Corrons, technical director at PandaLabs, said: “A very targeted attack would be targeted to one person. With the information that has been made public about this attack, I would say that this is a very interesting operation. It looks like the typical cyber crime operation, but with selected targets.
“In regular cases, we see how cyber criminals try to get as many people infected as possible to have a huge volume of information that they can trade with. However, a different approach would be to target a relatively small number of selected victims, which could have more valuable information to be stolen, so with less effort you could make huge amounts of money, and this Lurid case could be this kind of scenario.”
Asked if this is the next stage for nation-sponsored hacking/targeted attacks, Corrons said: “If so, we can be really happy. This is really too amateurish to be this kind of attack, a nation-sponsored attack is way more complex and advanced than this case.
“According to Trend Micro, some of the attacks were performed using 'compressed RAR files containing malicious screen savers'. If we think about a real nation-sponsored attack, or even another kind of targeted attack with an advanced persistent threat, you wouldn't risk the operation by sending your Trojan as a screensaver, as the user could send the file to an anti-virus company, or upload it to a VirusTotal kind of service (so all anti-virus companies will get your Trojan), and then it is bye-bye.”
In terms of who is behind this attack, Trend Micro said the IP addresses of the C&C servers were located in the US and the UK, while the registration information of the domain names indicated that the owners were in China.
“The use of Enfal has been historically linked with threat actors in China. In this case, the attack vector that we were able to analyse was related to the Tibetan community, which indicates an association with China. However, China was also a victim of Lurid Downloader,” it said.
I asked the Russian security company Kaspersky Lab for its perspective on this. Kurt Baumgartner, senior security researcher, said the tools used in this attack would not usually be classified as an APT, though it shares many of the characteristics of that threat.
“Targeted attacks have become more common, but labelling this as APT may be premature given the uncertainty of their data. Targeted attacks like these are just the sort of thing we protect our customers against every day. We examined mal-crafted PDFs from early in the year, and related back doors. These technologies are even simpler for us to detect than usual,” he said.
What struck me the most about this particular attack was the number of targets, the type of target and the simplicity of the attack – a malicious PDF attachment.
As Corrons said, a very targeted attack will pinpoint one person. So is the next type of attack one that is widespread but contained, targeted but distributed, and malicious but outdated?