Modified Enfal Variants Compromised 874 Systems

Modified versions of the Enfal malware, which figured prominently in the LURID attacks, were seen to have infected more than 800 systems worldwide. Enfal variants are known to communicate to specific servers that gives potential attackers access and even full control of infected systems.

We recently uncovered several attacks that used a modified version of Enfal, which have compromised 874 systems in 33 countries. Enfal was the malware used in the LURID targeted attacks, which we documented last September 2011. The malware was also linked to attacks going back to 2006 and possibly even 2002.

We investigated five command-and-control (C&C) servers related to these attacks and found that there were victim concentrations in Vietnam, Russia and Mongolia.

These identified targeted victims can be categorized as:

Government Ministries and Agencies
Military and Defense contractors
Nuclear and Energy sectors
Space and Aviation
Tibetan community

Here are the top 5 countries that had compromised computers connecting to the five C&C servers. Note that a single compromised system may connect to more than one server.

C&C (1)	{BLOCKED}2.152.14
Vietnam	394
Russia	34
India	19
China	14
Bangladesh	11

C&C (2)	{BLOCKED}2.153.79
Russia	85
Mongolia	65
Kazakhstan	32
United States	19
India	14

C&C (3)	{BLOCKED}8.175.122
Mongolia	41
Russia	14
China	11
Philippines	6
India	5

C&C (4)	{BLOCKED}3.76.90
Mongolia	42
Russia	25
Philippines	5
China	4
Brazil	2

C&C (5)	{BLOCKED}2.154.203
Russia	36
Kazakhstan	2
Pakistan	1

It should be noted, however, that in many cases we were unable to identify a specific victim beyond ISP and country. We are continuously notifying compromised parties via appropriate channels.

Attacks Using Modified Enfal With Campaign “Tags”

We found that there were 63 campaign “tags” or codes that the attackers used to keep track of which attack compromised which computers. Here are the top 5 campaign tags.

Campaign tags
ynshll	221
ynsh	113
mgin	89
0821zh	40
ym2012814	38

During our research, we found that the typical vectors used in the attacks are socially-engineered emails with a malicious attachment.

The attachment is the malicious document Special General Meeting.doc (detected as TROJ_ARTIEF.JN) that exploits a Microsoft Office vulnerability (CVE-2012-0158) to drop BKDR_MECIV.AF onto targeted computer. The compromised computer begins to communicate with a C&C server through which the attackers can maintain full control of the computer.

Special General Meeting.doc	2f66e1a97b17450445fbbec36de93daf	TROJ_ARTIEF.JN
datac1en.dll	9801d66d822cb44ea4bf8f4d2739e29c	BKDR_MECIV.AF

The communication between this variant of Enfal and previous ones is different. The names of the files requested on the C&C server have been changed, and so has the XOR value used to encrypt the communications. In addition, all the communication is XORed.

Previous versions of Enfal have consistently requested “/cg[a-z]-bin/Owpq4.cgi” on the C&C server making it a consistent indicator.

In addition, we found malicious documents in Russian that also drop the Enfal malware and connect to this network of C&C servers.

Замысел Кавказ 2012.doc	81f40945554a4d585ea4993e43a493a5
datac1en.dll	7185411935b5c24d600bd17debc2a0a0

The samples of this Enfal variant, which connect to the URL path /8jwpc/odw3ux, have used a variety of sub-domains on at least five domain names as C&C servers: {BLOCKED}tast.com,{BLOCKED}eibus.com, {BLOCKED}bfy.com, {BLOCKED}uttons.com and {BLOCKED}offe.com.

In addition to this Enfal variant, its traditional version remains active as well. However, the modifications made to the traditional Enfal file paths indicate that the attackers are attempting to bypass defense measures such as IDS and network monitoring that match on Enfal’s consistent URL paths.