Targeted attacks were discovered, causing damage to at least 47 companies and organizations who possessed classified documents and other spy-worthy information.Trend Micro has discovered the Advanced Persistent Threat (APT) known as LURID which has had a large impact in countries such as Russia, Kazakhstan and Ukraine, the identified victims being among diplomatic missions, government ministries, space-related government agencies and other important companies and research institutions which clearly owned something they didn't want to share.
The attacks targeted certain geographical areas as well as particular companies, a number of 15 domain names and 10 active IP addresses being used to complete the operations.
The LURID downloader, also known as Enfal, isn't something you'd find in the wild, as it has only been encountered in massive scale hits such as those that target governments and other large organizations.
The actual attack consists of an email being sent to the computers of the victim company. Once the attached file is executed, it makes use of known application vulnerabilities to download the entire suite of malicious elements it needs for the exploitation. From a single infected computer, the hackers can move almost freely throughout the network, infecting other devices and stealing every bit of sensitive information that comes their way.
These hacks are called APT because they use a lot of “zeroday” exploits or any other means necessary to penetrate the system, after which, the malware masks itself as a Windows service or places itself in the Start Up folder of the operating system to make sure it's not going to be contained too easily.
After the infection has been made, the cybercriminal gains permanent control over the system, allowing him to send and receive files and even activate remote interactive shells.
Statistically speaking, it seems there were 2272 unique external IP addresses that were targeted, most of which in Russia. Middle eastern and far eastern countries were the main objectives, but the real source of the hacks is hard to determine due to the evasion techniques used in these situations.
The research revealed that specific documents and spreadsheets were primary objectives so it might just be one of those attacks we've spoken about in recent articles.