A series of targeted attacks that have compromised 1,465 computers in more than 60 countries has been detected.
According to research by Trend Micro, the victims include diplomatic missions, government ministries and space-related government agencies, with Russia, Kazakhstan and Vietnam the most-affected nations.
Rik Ferguson, director of security research and communication EMEA at Trend Micro, said the campaign involved more than 300 targeted attacks that were monitored by the culprits using a unique identifier embedded in the associated malware.
“In total, the attackers used a command and control network of 15 domain names associated with the attackers and ten active IP addresses to maintain persistent control over the 1,465 victims,” he said.
This particular attack has been named ‘Lurid'. Trend Micro said it is a well-known malware family, but is not a publicly available toolkit. It has also been used to target both the US government and non-governmental organisations.
The attack takes advantage of Adobe Reader flaws as well as compressed RAR files containing malicious screen savers. Once executed on a system, it connects to a network of command and control servers (C&C) and the malware collects information from compromised computers that is sent to the C&C via HTTP POST.
Through this communication, the attackers are able to issue a variety of commands to the compromised computers; attackers have been able to send and receive files as well as activate an interactive remote shell on compromised systems.
Ferguson said: “As is frequently the case, it is difficult to say for certain who is behind this series of attacks as it is easy to manipulate artefacts, such as IP addresses and domain name registration, to mislead researchers into believing that a particular entity is responsible.”
Trend Micro was unable to reveal precisely which data was being targeted by the attackers, but it did determine that attempts to steal specific documents and spreadsheets were made in some cases.