Newer ‘Enfal’ Versions Hijack Over 800 PCs Globally, Reports Trend Micro
Researchers from Trend Micro underscore variants of Enfal, the malicious program that was greatly involved within the LURID personalized assaults, as having already contaminated over 800 computers globally.
It maybe noted that during September 2011, Trend Micro documented the LURID personalized assaults followed with describing them as large-scale assaults, which hijacked almost 1,500 PCs across 61 nations while the PCs belonged to government ministries, diplomatic missions as well as space-related national organizations.
A study of the C&C computer systems used within the most recent assault indicates that the maximum number of currently-victimized machines are in nation states such as Mongolia, Russia, Vietnam, while more countries affected include USA, India, Philippines, a few Middle Eastern countries and China.
Trend Micro's researchers also state that the assaults' chief attack points are government agencies; defense, particularly military contractors; aviation and space sectors; Tibetan communities; and energy and nuclear industries.
Meanwhile, Trend Micro has embarked on informing the hijacked parties; however, sometimes it isn't that easy as it's difficult to precisely recognize the victims.
Specialists state that the assaults begin with an intelligently-crafted e-mail, which contains malevolent file attachments. In one such e-mail, for example, which strikes Tibetan communities, the e-mail addressing the community members informs the date and venue for the 2nd Special General Meeting of Tibetans for talking about the methods of handling critical and immediate conditions in Tibet as 'Dharamshala' during 25-28 September, 2012.
Also, an incorporated file attachment in the e-mail viz. named Special General Meeting.doc turns out malevolent as it's actually TROJ_ARTIEF.JN, which abuses the CVE-2012-0158 MS-Office flaw for planting a backdoor called BKDR_MECIV.AF on the host PC. Once infected, the hijacked PC then starts exchanging messages with a remotely-controlling command-and-control server.
Intriguingly, the current Enfal variant's communication method is different from the earlier ones. Also, while filenames queried on the command-and-control system are different, the XOR value utilized for encoding the communications is also changed.
Conclusively, the newer Enfal variants suggest that the assailants have on their mind the importance of eluding defense mechanisms particularly Intrusion Detection System as well as network monitoring which correspond with the malware's steady URL paths, states Trend Micro.
Related article: Nuwar Storm Come Back for Valentine’s Day
» SPAMfighter News - 19-09-2012