Modified Enfal Variants Compromised 874 Systems

Modified versions of the Enfal malware, which figured prominently in the LURID attacks, were seen to have infected more than 800 systems worldwide. Enfal variants are known to communicate to specific servers that gives potential attackers access and even full control of infected systems.

We recently uncovered several attacks that used a modified version of Enfal, which have compromised 874 systems in 33 countries. Enfal was the malware used in the LURID targeted attacks, which we documented last September 2011. The malware was also linked to attacks going back to 2006 and possibly even 2002.

We investigated five command-and-control (C&C) servers related to these attacks and found that there were victim concentrations in Vietnam, Russia and Mongolia.

These identified targeted victims can be categorized as:

  • Government Ministries and Agencies
  • Military and Defense contractors
  • Nuclear and Energy sectors
  • Space and Aviation
  • Tibetan community

Here are the top 5 countries that had compromised computers connecting to the five C&C servers. Note that a single compromised system may connect to more than one server.

C&C (1) {BLOCKED}2.152.14
Vietnam 394
Russia 34
India 19
China 14
Bangladesh 11
C&C (2) {BLOCKED}2.153.79
Russia 85
Mongolia 65
Kazakhstan 32
United States 19
India 14
C&C (3) {BLOCKED}8.175.122
Mongolia 41
Russia 14
China 11
Philippines 6
India 5
C&C (4) {BLOCKED}3.76.90
Mongolia 42
Russia 25
Philippines 5
China 4
Brazil 2
C&C (5) {BLOCKED}2.154.203
Russia 36
Kazakhstan 2
Pakistan 1

It should be noted, however, that in many cases we were unable to identify a specific victim beyond ISP and country. We are continuously notifying compromised parties via appropriate channels.

Attacks Using Modified Enfal With Campaign “Tags”

We found that there were 63 campaign “tags” or codes that the attackers used to keep track of which attack compromised which computers. Here are the top 5 campaign tags.

Campaign tags
ynshll 221
ynsh 113
mgin 89
0821zh 40
ym2012814 38

During our research, we found that the typical vectors used in the attacks are socially-engineered emails with a malicious attachment.

The attachment is the malicious document Special General Meeting.doc (detected as TROJ_ARTIEF.JN) that exploits a Microsoft Office vulnerability (CVE-2012-0158) to drop BKDR_MECIV.AF onto targeted computer. The compromised computer begins to communicate with a C&C server through which the attackers can maintain full control of the computer.

Special General Meeting.doc 2f66e1a97b17450445fbbec36de93daf TROJ_ARTIEF.JN
datac1en.dll 9801d66d822cb44ea4bf8f4d2739e29c BKDR_MECIV.AF

The communication between this variant of Enfal and previous ones is different. The names of the files requested on the C&C server have been changed, and so has the XOR value used to encrypt the communications. In addition, all the communication is XORed.

Previous versions of Enfal have consistently requested “/cg[a-z]-bin/Owpq4.cgi” on the C&C server making it a consistent indicator.

In addition, we found malicious documents in Russian that also drop the Enfal malware and connect to this network of C&C servers.

Замысел Кавказ 2012.doc 81f40945554a4d585ea4993e43a493a5
datac1en.dll 7185411935b5c24d600bd17debc2a0a0

The samples of this Enfal variant, which connect to the URL path /8jwpc/odw3ux, have used a variety of sub-domains on at least five domain names as C&C servers: {BLOCKED},{BLOCKED}, {BLOCKED}, {BLOCKED} and {BLOCKED}

In addition to this Enfal variant, its traditional version remains active as well. However, the modifications made to the traditional Enfal file paths indicate that the attackers are attempting to bypass defense measures such as IDS and network monitoring that match on Enfal’s consistent URL paths.

Trend Micro Deep Discovery defends against these attacks using a three-level detection scheme:

  • Malware scan (i.e., signature and heuristic) and Sandbox simulation
  • Destination analysis using the Trend Micro Smart Protection Network
  • Rule-based heuristic analysis of network traffic

Despite the modifications made to the Enfal malware, Deep Discovery is able to heuristically detect and defend against Enfal attacks.

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

Post from: TrendLabs | Malware Blog – by Trend Micro

Modified Enfal Variants Compromised 874 Systems

Read more: Modified Enfal Variants Compromised 874 Systems

Story added 13. September 2012, content source with full text you can find at link above.