Modified versions of the Enfal malware, which figured prominently in the LURID attacks, were seen to have infected more than 800 systems worldwide. Enfal variants are known to communicate to specific servers that gives potential attackers access and even full control of infected systems.
We recently uncovered several attacks that used a modified version of Enfal, which have compromised 874 systems in 33 countries. Enfal was the malware used in the LURID targeted attacks, which we documented last September 2011. The malware was also linked to attacks going back to 2006 and possibly even 2002.
We investigated five command-and-control (C&C) servers related to these attacks and found that there were victim concentrations in Vietnam, Russia and Mongolia.
These identified targeted victims can be categorized as:
- Government Ministries and Agencies
- Military and Defense contractors
- Nuclear and Energy sectors
- Space and Aviation
- Tibetan community
Here are the top 5 countries that had compromised computers connecting to the five C&C servers. Note that a single compromised system may connect to more than one server.
| C&C (1) | {BLOCKED}2.152.14 |
| Vietnam | 394 |
| Russia | 34 |
| India | 19 |
| China | 14 |
| Bangladesh | 11 |
| C&C (2) | {BLOCKED}2.153.79 |
| Russia | 85 |
| Mongolia | 65 |
| Kazakhstan | 32 |
| United States | 19 |
| India | 14 |
| C&C (3) | {BLOCKED}8.175.122 |
| Mongolia | 41 |
| Russia | 14 |
| China | 11 |
| Philippines | 6 |
| India | 5 |
| C&C (4) | {BLOCKED}3.76.90 |
| Mongolia | 42 |
| Russia | 25 |
| Philippines | 5 |
| China | 4 |
| Brazil | 2 |
| C&C (5) | {BLOCKED}2.154.203 |
| Russia | 36 |
| Kazakhstan | 2 |
| Pakistan | 1 |
It should be noted, however, that in many cases we were unable to identify a specific victim beyond ISP and country. We are continuously notifying compromised parties via appropriate channels.
Attacks Using Modified Enfal With Campaign “Tags”
We found that there were 63 campaign “tags” or codes that the attackers used to keep track of which attack compromised which computers. Here are the top 5 campaign tags.
| Campaign tags | |
| ynshll | 221 |
| ynsh | 113 |
| mgin | 89 |
| 0821zh | 40 |
| ym2012814 | 38 |
During our research, we found that the typical vectors used in the attacks are socially-engineered emails with a malicious attachment.
| Special General Meeting.doc | 2f66e1a97b17450445fbbec36de93daf | TROJ_ARTIEF.JN |
| datac1en.dll | 9801d66d822cb44ea4bf8f4d2739e29c | BKDR_MECIV.AF |
The communication between this variant of Enfal and previous ones is different. The names of the files requested on the C&C server have been changed, and so has the XOR value used to encrypt the communications. In addition, all the communication is XORed.
| ??????? ?????? 2012.doc | 81f40945554a4d585ea4993e43a493a5 |
| datac1en.dll | 7185411935b5c24d600bd17debc2a0a0 |
The samples of this Enfal variant, which connect to the URL path /8jwpc/odw3ux, have used a variety of sub-domains on at least five domain names as C&C servers: {BLOCKED}tast.com,{BLOCKED}eibus.com, {BLOCKED}bfy.com, {BLOCKED}uttons.com and {BLOCKED}offe.com.
Trend Micro Deep Discovery defends against these attacks using a three-level detection scheme:
- Malware scan (i.e., signature and heuristic) and Sandbox simulation
- Destination analysis using the Trend Micro Smart Protection Network
- Rule-based heuristic analysis of network traffic
Despite the modifications made to the Enfal malware, Deep Discovery is able to heuristically detect and defend against Enfal attacks.
Leave a reply
