'Lurid' malware hits Russia, CIS countries

Trend Micro says more than 1,400 computers in 61 countries were targeted

The latest espionage-related hacking campaign detailed by security vendor Trend Micro is most notable for the country it does not implicate: China.

Researchers from Trend wrote on Thursday that they discovered a series of hacking attacks targeting space-related government agencies, diplomatic missions, research institutions and companies located mostly in Russia but also Vietnam and Commonwealth of Independent States countries. In total, the attacks targeted 1,465 computers in 61 countries.

The attacks, which Trend dubbed "Lurid," are not particularly unusual compared to other stealthy, long-range hacking campaigns publicized recently, said Rik Ferguson, director of security research and communication for Europe. Targeted e-mails were sent to employees that were engineered to attack unpatched software and sought to steal spreadsheets, Word documents and other information.

Those pilfered documents were then uploaded to Web sites hosted on command-and-control servers in the U.S and the U.K. Ferguson said. The location of the servers in these attacks shows that hackers can choose servers anywhere in the world to collect stolen information, which is not an indication of where the hackers may be located, he said.

China has endured frequent accusations that it is complicit in hacking since many high-profile attacks have originated from infrastructure within the country. But Ferguson said there are many tools ranging from VPNs (Virtual Private Networks) to e-mail spoofing techniques that can mislead hacking investigations.

"What do we do now?" Ferguson asked. "Point the finger at the U.S. and U.K.?"

Trend classified the Lurid attacks as an "advanced persistent threat" or APT, a relatively new term applied to hacking campaigns that endure for long periods of time undetected. Lurid has been active since at least August 2010.

Lurid uses a downloader program known as "Enfal" to steal documents. The downloader has been around since at least 2006, although it is not known to be sold on underground criminal forums, Ferguson said.

The e-mails sent to victims contained an attached file that looked for vulnerabilities in software on the computer. This particular series of attacks often exploited a vulnerability in Adobe Reader that dates back to 2009, Ferguson said. If the companies or organizations have not patched their software, they may be vulnerable: Security experts generally recommend patching as soon as a fix has been released.

Trend found that the hackers also assigned a special code to individual pieces of malware in order to identity their victims. Although the Lurid attacks touched on many organizations, most of the attacks were targeted at just three.

Ferguson said Trend identified 301 different campaign codes, with 115 campaigns focused on just one victim and 64 others hitting just two more organizations.

The information exfiltrated from compromised computers was sent encrypted to the command-and-control servers via HTTP POST requests. Since the stolen information was encrypted and appeared to be normal Web traffic, it can be difficult for organizations to detect that they may have been compromised, he said.

Ferguson said Trend had contacted Computer Emergency Response Teams in the affected countries and is also working with the U.K.'s Serious Organised Crime Agency, which includes hacking as part of its remit.

Send news tips and comments to jeremy_kirk@idg.com

Tags intrusionsecuritytrend microDesktop securitydata breachdata protectionExploits / vulnerabilitiesmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?