A large scale and continuously spreading Malware “Advanced Persistent Attack (APT)” is exposed today by one of the security firms “Trend Micro”. This malware spreads through a downloader named “Lurid” and effects 1500 computers in almost 61 countries. Almost 15 Organizations like government ministries, diplomatic missions, research institutes and state-led space agency systems of former USSR states mainly Russia, Kazakhstan & Ukraine have been hit by this attack. Director of Trend Micro wrote in their report that when this attack is launched on any target computer it allows attacker to monitor the system through unique identifier which is embedded inside the malware coding.Attackers used command and control servers (C&C) with 15 different domain names and 10 active IP addresses to get control over 1500 PC’s. Lurid Downloader through which the attack is launched is part of “Enfal” family. Enfal is one the malwares that previously target US based agencies.  In APT attack attackers instead of using “zero-day” vulnerabilities for attack they used all ready exploited vulnerabilities of Adobe Reader and RAR files. In RAR files, malicious screen servers were used to execute the malware payload. Trend Micro does not find any samples which indicates that zero-day exploits are used in APT attack but the identifiers used to monitor target PC’s put a light on use of zero-day attacks.

This attack steals data from spreadsheets and word documents and not financial information from compromised computers and sends it back to Command & Control Servers (C&C). Source of this attack has not been determined so far and also it is unable to determine that about what kind of data the attacker are looking for. APT attack only hit Asian countries. Important fact to consider is that patched adobe bugs are used to exploit vulnerabilities which indicates that attackers are behind organizations instead of consumers. According to the sources, Russia had 1,063 IP addresses hit in the attacks; Kazakhstan, 325; Ukraine, 102; Vietnam, 93; Uzbekistan; 88; Belarus, 67; India, 66; Kyrgyzstan, 49; Mongolia, 42; and China, 39.

Procedure to launch this attack is very simple and is via e-mail.Victim receives an e-mail that encourages him to open the attached file. That file contains malicious code that exploits vulnerabilities of PDF’s and Microsoft Office files. Malware payload automatically execute itself on Victim’s Computer firstly by installing itself under Windows Service showing itself as legitimate service and then copy itself into system folder ensuring persistence by changing start up folder to special one it creates. Using HTTP POST commands with C&C Server’s attackers are able to get the data from victim PC. These commands allow the attackers to send and receive files as well as activate an interactive remote shell on compromised systems. Researchers of Trend Micro have some of the commands, but not the actual files.

Attackers are then able to propagate this malware from one victim PC to another. It is difficult to determine who is after this attack as it is quite easy for attackers to mislead researchers by changing IP Addresses and domain names. By understanding how this malware works and tactics, tools that are behind this attack defensive strategy needs to be build.

By: Rahat Masood
Image Credits: Flicker