Lurid Downloader Campaign Actors Focus on Russia and the CIS

The Lurid Downloader Download the full research paper: The Lurid Downloader

Prior to the highly publicized “Aurora” attack on Google in late 2009, which also affected at least 20 other companies, there was little public awareness regarding targeted malware attacks. However, such attacks have been taking place for years and continue to affect government, military, corporate, educational, and civil society networks today. While such attacks against the U.S. government and related networks are now fairly well-known, other governments and an increasing number of companies are facing similar threats. Russia and other countries in the Commonwealth of Independent States are also being targeted and compromised. These countries have an expertise in the space industry and also have operations in oil & gas, mining and other industry areas that have been targeted by malware attacks in the past.

Malware attacks that exploit vulnerabilities in popular software in order to compromise specific target sets are becoming increasingly commonplace. These attacks are not automated or indiscriminate nor are they conducted by opportunistic amateurs. Known as targeted malware attacks, these attacks refer to computer intrusions staged by threat actors that aggressively pursue and compromise specific targets. Targeted malware attacks are typically part of broader campaigns, a series of failed and success compromises, by specific threat actors and not isolated attacks.

However, the specificity of the attacker’s prior knowledge of the victim affects the level of targeting associated with a single attack. As a result, some attacks appear to be less precise, or “noisy”, and are aimed at a broader community. Such “spear phishing” attacks are usually “directed toward a group of people with a commonality” as opposed to a specific target but are useful for gaining an initial foothold in a future target of interest.

The malware used in the “Lurid Downloader” attacks is commonly known as “Enfal” and it has been used in targeted attacks as far back as 2006. In 2008, Maarten Van Horenbeeck documented a series of targeted malware attacks that made use the Enfal Trojan to target non-governmental organizations, non-governmental organizations (NGOs) as well as defense contractors and U.S. government employees. In 2009 and 2010, researchers from the University of Toronto published reports on two cyberespionage networks known as “GhostNet” and “ShadowNet” that included malware and command and control infrastructure connected with the Enfal Trojan. The domain names used by Enfal as command and control servers are, according to U.S. diplomatic cables leaked to Wikileaks, linked to a series of attacks known as “Byzantine Hades.” According to these “leaked cables, the activity of this set of threat actors has been ongoing since 2002 and is known as “Byzantine Hades”, and there are subsets of this activity known as “Byzantine Anchor,” “Byzantine Candor” and “Byzantine Foothold”. However, it is important to note that other than the use of Enfal itself, there appears to be several distinct sets of command and control infrastructure in use and the relationship among the threat actors operating these separate infrastructures remains unclear.

Click on the thumbnail above to read the full research paper on the Lurid Campaign.

Lurid Quick Profile:

First Seen:
TThe earliest samples and command-and-control (C&C) server registration dates related to this particular campaign go back as far as August 2010. It is, however, possible that these were created even earlier.

Enfal, the malware family used in the LURID campaign, had been used in targeted attacks as far back as 2006.

Victims and Targets:
The attackers have compromised 1,465 unique hosts in 61 countries. A total of 47 victims have been identified, which include numerous government ministries and diplomatic missions (including space-related government agencies), companies and research institutions in Russia and other members of the Commonwealth Independent States (CIS), and a small number of similar entities in Europe.

Attackers typically send targets an email with a malicious .PDF file attachment and a subject line but no content. The email is spoofed to look like it came from the Office of the Dalai Lama while the file attachment’s name is related to Tibet. The email address’s domain is, a Middle Eastern email service provider.

The attackers used exploits taking advantage of CVE-2009-4324, the util.printed vulnerability in Adobe Reader 9.X (before 9.3) and 8.X (before 8.2), and CVE-2010-2883 as well as compressed .RAR files containing malicious screensavers.

Upon successful exploitation, the attachment drops a piece of malware onto the system. This then connects to a C&C server to send information and receive and execute commands.

Possible Indicators of Compromise
System infections with TROJ_PIDIEF.SMZX (MD5: 322fcf1b134fef1bae52fbd80a373ede), TROJ_MECIV.A (MD5: 84d24967cb5cbacf4052a3001692dd54 and 3447416fbbc65906bd0384d4c2ba479e), and WORM_OTORUN.TMP (MD5: 856de08a947a40e00ea7ed66b8e02c53).

The malware stores its configuration settings in the registry, HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp\Parameters.

* The campaign codes we have seen so far are detailed in the Trend Micro research paper, Dissecting the Lurid APT: The ‘Lurid’ Downloader. The characteristics highlighted in this APT campaign quick profile reflect the results of our investigation as of September 2011.



Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.