874 Systems from 33 Countries Infected with Enfal Malware, Researchers Find

A new variant attempts to escape defense mechanisms

  Enfal decoy document used to target Russian users
The Enfal malware – best known for its involvement in the LURID targeted attacks – is still causing a lot of damage. Researchers have identified a number of 874 computers from 33 different countries to be infected with a new version of the malicious Trojan.

The Enfal malware – best known for its involvement in the LURID targeted attacks – is still causing a lot of damage. Researchers have identified a number of 874 computers from 33 different countries to be infected with a new version of the malicious Trojan.

An analysis of the command and control (C&C) servers utilized in the attack has showed that most of the current victims reside in countries such as Vietnam, Russia and Mongolia. Other affected countries appear to be China (29 infections), Philippines (11 infections), the United States (19 infections), India and some Middle Eastern states.

The main targets of the attacks seem to be government organizations, military and defense contractors, nuclear and energy sectors, Tibetan communities, and the space and aviation industry, researchers from Trend Micro note.

The company is in the process of notifying compromised parties, but in some cases the task is not so easy because the victims can’t be precisely identified.

According to experts, the attacks start with a cleverly designed email that carries malicious attachments. For instance, the message that targets Tibetan communities reads something like this:

As you all are aware the Second Special General Meeting of Tibetans to discuss ways and means to deal with the urgent and critical situation inside Tibet will be held at Dharamshala from 25-28th September, 2012.

The attachment, a document named Special General Meeting.doc, carries a Trojan which exploits a vulnerability in Microsoft Office in order to drop a backdoor onto the infected computer.

Once it’s settled on a system, the malware communicates with its designated C&C server, allowing the cybercriminals to take complete control of the machine.

“The communication between this variant of Enfal and previous ones is different. The names of the files requested on the C&C server have been changed, and so has the XOR value used to encrypt the communications. In addition, all the communication is XORed,” Nart Villeneuve, senior threat researcher at Trend Micro, explained.

The modifications made to the traditional variant indicate that the masterminds of the campaign are trying to bypass security mechanisms such as network monitoring and IDS.

Comments