'Lurid' malware hits Russia, CIS countries
Trend Micro says more than 1,400 computers in 61 countries were targeted
IDG News Service - The latest espionage-related hacking campaign detailed by security vendor Trend Micro is most notable for the country it does not implicate: China.
Researchers from Trend Micro wrote on Thursday that they discovered a series of hacking attacks targeting space-related government agencies, diplomatic missions, research institutions and companies located mostly in Russia but also Vietnam and Commonwealth of Independent States countries. In total, the attacks targeted 1,465 computers in 61 countries.
The attacks, which Trend Micro dubbed "Lurid," are not particularly unusual compared to other stealthy, long-range hacking campaigns publicized recently, said Rik Ferguson, Trend Micro's director of security research and communication for Europe. Targeted e-mails were sent to employees that were engineered to attack unpatched software and sought to steal spreadsheets, Word documents and other information.
Those pilfered documents were then uploaded to Web sites hosted on command-and-control servers in the U.S and the U.K. Ferguson said. The location of the servers in these attacks shows that hackers can choose servers anywhere in the world to collect stolen information, which is not an indication of where the hackers may be located, he said.
China has endured frequent accusations that it is complicit in hacking since many high-profile attacks have originated from infrastructure within the country. But Ferguson said there are many tools ranging from VPNs (Virtual Private Networks) to e-mail spoofing techniques that can mislead hacking investigations.
"What do we do now?" Ferguson asked. "Point the finger at the U.S. and U.K.?"
Trend classified the Lurid attacks as an "advanced persistent threat" or APT, a relatively new term applied to hacking campaigns that endure for long periods of time undetected. Lurid has been active since at least August 2010.
Lurid uses a downloader program known as "Enfal" to steal documents. The downloader has been around since at least 2006, although it is not known to be sold on underground criminal forums, Ferguson said.
The e-mails sent to victims contained an attached file that looked for vulnerabilities in software on the computer. This particular series of attacks often exploited a vulnerability in Adobe Reader that dates back to 2009, Ferguson said. If the companies or organizations have not patched their software, they may be vulnerable: Security experts generally recommend patching as soon as a fix has been released.
Trend found that the hackers also assigned a special code to individual pieces of malware in order to identity their victims. Although the Lurid attacks touched on many organizations, most of the attacks were targeted at just three.
Ferguson said Trend identified 301 different campaign codes, with 115 campaigns focused on just one victim and 64 others hitting just two more organizations.
The information exfiltrated from compromised computers was sent encrypted to the command-and-control servers via HTTP POST requests. Since the stolen information was encrypted and appeared to be normal Web traffic, it can be difficult for organizations to detect that they may have been compromised, he said.
Ferguson said Trend had contacted Computer Emergency Response Teams in the affected countries and is also working with the U.K.'s Serious Organised Crime Agency, which includes hacking as part of its remit.
Send news tips and comments to firstname.lastname@example.org
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- Pragmatic Endpoint Management: Empowering an SMB Workforce in the Age of Mobility Lacking the time for proper training and education, SMB administrators often resort to taking shortcuts to keep their environment running.This paper discusses the...
- Gartner Magic Quadrant for Application Security The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts