Download the full research paper: The Lurid DownloaderPrior to the highly publicized “Aurora” attack on Google in late 2009, which also affected at least 20 other companies, there was little public awareness regarding targeted malware attacks. However, such attacks have been taking place for years and continue to affect government, military, corporate, educational, and civil society networks today. While such attacks against the U.S. government and related networks are now fairly well-known, other governments and an increasing number of companies are facing similar threats. Russia and other countries in the Commonwealth of Independent States are also being targeted and compromised. These countries have an expertise in the space industry and also have operations in oil & gas, mining and other industry areas that have been targeted by malware attacks in the past.
TThe earliest samples and command-and-control (C&C) server registration dates related to this particular campaign go back as far as August 2010. It is, however, possible that these were created even earlier.
Enfal, the malware family used in the LURID campaign, had been used in targeted attacks as far back as 2006.
Victims and Targets:
The attackers have compromised 1,465 unique hosts in 61 countries. A total of 47 victims have been identified, which include numerous government ministries and diplomatic missions (including space-related government agencies), companies and research institutions in Russia and other members of the Commonwealth Independent States (CIS), and a small number of similar entities in Europe.
Attackers typically send targets an email with a malicious .PDF file attachment and a subject line but no content. The email is spoofed to look like it came from the Office of the Dalai Lama while the file attachment’s name is related to Tibet. The email address’s domain is gawab.com, a Middle Eastern email service provider.
The attackers used exploits taking advantage of CVE-2009-4324, the util.printed vulnerability in Adobe Reader 9.X (before 9.3) and 8.X (before 8.2), and CVE-2010-2883 as well as compressed .RAR files containing malicious screensavers.
Upon successful exploitation, the attachment drops a piece of malware onto the system. This then connects to a C&C server to send information and receive and execute commands.
Possible Indicators of Compromise
System infections with TROJ_PIDIEF.SMZX (MD5: 322fcf1b134fef1bae52fbd80a373ede), TROJ_MECIV.A (MD5: 84d24967cb5cbacf4052a3001692dd54 and 3447416fbbc65906bd0384d4c2ba479e), and WORM_OTORUN.TMP (MD5: 856de08a947a40e00ea7ed66b8e02c53).
The malware stores its configuration settings in the registry, HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp\Parameters.
* The campaign codes we have seen so far are detailed in the Trend Micro research paper, Dissecting the Lurid APT: The ‘Lurid’ Downloader. The characteristics highlighted in this APT campaign quick profile reflect the results of our investigation as of September 2011.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.