Trend Micro uncovers Lurid APT attacks on thousands of computers in former USSR

Researchers at Trend Micro have uncovered yet another large-scale, sophisticated and ongoing series of targeted attacks that have compromised nearly 1,500 computers in 61 countries.

Dubbed 'Lurid', the attacks differ from similar operations such as Aurora and Night Dragon in that the victims are mainly located in Russia, Kazakhstan and Ukraine, as well as several other countries in the former USSR.

Trend Micro identified 47 victims of the successfully compromised 1,465 computers, including diplomatic missions, government ministries and space-related government agencies, according to Rik Ferguson, director of security research at the vendor.

"This particular campaign comprised over 300 malicious, targeted attacks, monitored by the attackers using a unique identifier embedded in the associated malware," he wrote in a research document seen by V3.

"In total, the attackers used a command-and-control [C&C] network of 15 domain names associated with the attackers and 10 active IP addresses to maintain persistent control over the 1,465 victims."

The Lurid downloader is part of the Enfal malware family which has been used in the past to attack US governments and NGOs, although it is not a publicly available toolkit, explained Ferguson.

Lurid attacks monitored by Trend Micro appear to have followed a pattern commonly associated with advanced persistent threats, making use of various exploits in Adobe Reader and "compressed RAR files containing malicious screen savers" to execute the Lurid malware which connects the system to a specific network of C&C servers.

"Attackers do not always rely on zero-day exploits but will, in fact, quite frequently use older, reliable exploits and save their zero-day exploits for hardened targets," said Ferguson.

"While we have not located any samples used in these campaigns that contain zero-day exploits, the campaign identifiers used by the attackers do make reference to the use of such exploits."

Moreover, the Lurid attacks maintain persistence on an infected system by installing as a Windows service, or copying to the system folder and "changing the common start up folder of Windows to a special one it creates", Ferguson explained.

The hackers have been using the malware to steal data and send it to the C&C server via HTTP POST, as well as issuing commands to the infected computers.

"These commands allow the attackers to send and receive files as well as activate an interactive remote shell on compromised systems," said Ferguson.

"The attackers will typically retrieve directory listings from the compromised computers and steal data (such as specific .xls files). Trend Micro researchers have some of the commands, but we don't have the actual files."

It has therefore proved difficult to identify the targeted data, although specific documents and spreadsheets were involved, according to Trend Micro.

Also still a mystery is the origin of the attackers, given that IP addresses and domain name registration details can be manipulated to mislead researchers, said Ferguson.

The news follows revelations from Trend Micro earlier this week of a large-scale, co-ordinated series of targeted attacks aimed at defence contractors such as Mitsubishi Heavy Industries in Japan.