'Lurid' malware hits Russia, CIS countries

Trend Micro says more than 1,400 computers in 61 countries were targeted

The latest espionage-related hacking campaign detailed by security vendor Trend Micro is most notable for the country it does not implicate: China.

Researchers from Trend wrote on Thursday that they discovered a series of hacking attacks targeting space-related government agencies, diplomatic missions, research institutions and companies located mostly in Russia but also Vietnam and Commonwealth of Independent States countries. In total, the attacks targeted 1,465 computers in 61 countries.

The attacks, which Trend dubbed "Lurid," are not particularly unusual compared to other stealthy, long-range hacking campaigns publicized recently, said Rik Ferguson, director of security research and communication for Europe. Targeted e-mails were sent to employees that were engineered to attack unpatched software and sought to steal spreadsheets, Word documents and other information.

Those pilfered documents were then uploaded to Web sites hosted on command-and-control servers in the U.S and the U.K. Ferguson said. The location of the servers in these attacks shows that hackers can choose servers anywhere in the world to collect stolen information, which is not an indication of where the hackers may be located, he said.

China has endured frequent accusations that it is complicit in hacking since many high-profile attacks have originated from infrastructure within the country. But Ferguson said there are many tools ranging from VPNs (Virtual Private Networks) to e-mail spoofing techniques that can mislead hacking investigations.

"What do we do now?" Ferguson asked. "Point the finger at the U.S. and U.K.?"

Trend classified the Lurid attacks as an "advanced persistent threat" or APT, a relatively new term applied to hacking campaigns that endure for long periods of time undetected. Lurid has been active since at least August 2010.

Lurid uses a downloader program known as "Enfal" to steal documents. The downloader has been around since at least 2006, although it is not known to be sold on underground criminal forums, Ferguson said.

The e-mails sent to victims contained an attached file that looked for vulnerabilities in software on the computer. This particular series of attacks often exploited a vulnerability in Adobe Reader that dates back to 2009, Ferguson said. If the companies or organizations have not patched their software, they may be vulnerable: Security experts generally recommend patching as soon as a fix has been released.

Trend found that the hackers also assigned a special code to individual pieces of malware in order to identity their victims. Although the Lurid attacks touched on many organizations, most of the attacks were targeted at just three.

Ferguson said Trend identified 301 different campaign codes, with 115 campaigns focused on just one victim and 64 others hitting just two more organizations.

The information exfiltrated from compromised computers was sent encrypted to the command-and-control servers via HTTP POST requests. Since the stolen information was encrypted and appeared to be normal Web traffic, it can be difficult for organizations to detect that they may have been compromised, he said.

Ferguson said Trend had contacted Computer Emergency Response Teams in the affected countries and is also working with the U.K.'s Serious Organised Crime Agency, which includes hacking as part of its remit.

Send news tips and comments to jeremy_kirk@idg.com

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags intrusiontrend microsecuritydata breachDesktop securityExploits / vulnerabilitiesdata protectionmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?