Trend Micro researchers have discovered that 1465 computers belonging to 47 distinct political and economical entities in 61 different (mostly former Soviet Union) countries have been compromised through a slew of attacks that delivered the Lurid Trojan downloader.
The victims include government ministries, diplomatic missions, space-related government agencies, research institutions and various companies, and the motivation for the compromises seems to be espionage rather than money.
“This particular campaign comprised over 300 malicious, targeted attacks, monitored by the attackers using a unique identifier embedded in the associated malware,” shared the researchers. “Our analysis of the campaigns reveals that attackers targeted communities in specific geographic locations as well as campaigns that targeted specific victims. In total, the attackers used a command and control network of 15 domain names associated with the attackers and 10 active IP addresses to maintain persistent control over the 1465 victims.”
As is common practice these days, the attacks started with the delivery of bogus emails containing a specifically crafted .doc or .pdf file that, once opened, exploits vulnerabilities in popular software in order to deliver malware onto the target’s computer.
In this case, the attackers refrained from misusing zero-day vulnerabilities to infect the machines and have satisfied themselves with using known ones. The delivered malware is a well-known downloader Trojan dubbed “Lurid” or “Enfal”.
And the most interesting thing about it is that there is no publicly available toolkit for this malware family, which has, in the past, been used against US organizations (both governmental and non). This fact also adds to the belief that cyber espionage was the ultimate goal of the attacks.
Once the attackers gained access to the infected computers, they could take control of it and try to compromise others in the same network. The attackers have attempted to steal specific documents and spreadsheets, but the researchers were unable to discover what kind of data these documents contained.
From the IP addresses gathered from the C&C servers the researchers gained access to, they concluded that the great majority of attacks were aimed at organizations located in Russia, followed by a lesser number that targeted those in Kazakhstan, Ukraine, Vietnam, Uzbekistan, Belarus, India, Kyrgystan, Mongolia and China.
They have also, wisely, refrained from speculating who might be behind the attacks. “As is frequently the case, it is difficult to ascertain who is behind this series of attacks because it is easy to manipulate artifacts, e.g. IP addresses and domain name registration, in order to mislead researchers into believing that a particular entity is responsible,” they concluded.
According to The Register, the two C&C servers in question are hosted in the US and the UK.