'Lurid' Malware Hits Russia, CIS Countries
The latest espionage-related hacking campaign detailed by security vendor Trend Micro is most notable for the country it does not implicate: China.
Researchers from Trend wrote on Thursday that they discovered a series of hacking attacks targeting space-related government agencies, diplomatic missions, research institutions and companies located mostly in Russia but also Vietnam and Commonwealth of Independent States countries. In total, the attacks targeted 1,465 computers in 61 countries.
The attacks, which Trend dubbed "Lurid," are not particularly unusual compared to other stealthy, long-range hacking campaigns publicized recently, said Rik Ferguson, director of security research and communication for Europe. Targeted e-mails were sent to employees that were engineered to attack unpatched software and sought to steal spreadsheets, Word documents and other information.
Those pilfered documents were then uploaded to Web sites hosted on command-and-control servers in the U.S and the U.K. Ferguson said. The location of the servers in these attacks shows that hackers can choose servers anywhere in the world to collect stolen information, which is not an indication of where the hackers may be located, he said.
China has endured frequent accusations that it is complicit in hacking since many high-profile attacks have originated from infrastructure within the country. But Ferguson said there are many tools ranging from VPNs (Virtual Private Networks) to e-mail spoofing techniques that can mislead hacking investigations.
"What do we do now?" Ferguson asked. "Point the finger at the U.S. and U.K.?"
Trend classified the Lurid attacks as an "advanced persistent threat" or APT, a relatively new term applied to hacking campaigns that endure for long periods of time undetected. Lurid has been active since at least August 2010.
Lurid uses a downloader program known as "Enfal" to steal documents. The downloader has been around since at least 2006, although it is not known to be sold on underground criminal forums, Ferguson said.
The e-mails sent to victims contained an attached file that looked for vulnerabilities in software on the computer. This particular series of attacks often exploited a vulnerability in Adobe Reader that dates back to 2009, Ferguson said. If the companies or organizations have not patched their software, they may be vulnerable: Security experts generally recommend patching as soon as a fix has been released.
Trend found that the hackers also assigned a special code to individual pieces of malware in order to identity their victims. Although the Lurid attacks touched on many organizations, most of the attacks were targeted at just three.
Ferguson said Trend identified 301 different campaign codes, with 115 campaigns focused on just one victim and 64 others hitting just two more organizations.
The information exfiltrated from compromised computers was sent encrypted to the command-and-control servers via HTTP POST requests. Since the stolen information was encrypted and appeared to be normal Web traffic, it can be difficult for organizations to detect that they may have been compromised, he said.
Ferguson said Trend had contacted Computer Emergency Response Teams in the affected countries and is also working with the U.K.'s Serious Organised Crime Agency, which includes hacking as part of its remit.
Send news tips and comments to firstname.lastname@example.org