Enfal Malware Hits Nuke, Energy Sectors

Monday, September 17, 2012 @ 07:09 PM gHale


Nuclear and energy sectors are among the industries still suffering from the Enfal malware, best known for its involvement in the LURID targeted attacks.

Over 870 computers from 33 different countries are suffering from an infection of a new version of the malicious Trojan, researchers said.

RELATED STORIES
Over Half Androids have Vulnerabilities
Chrome for Android Fixes Bugs
Profiting off Android Attacks
Malware Continues to Rise

An analysis of the command and control (C&C) servers utilized in the attack showed most of the current victims reside in Vietnam, Russia and Mongolia. Other affected countries appear to be China (29 infections), Philippines (11 infections), the United States (19 infections), India and some Middle Eastern states.

Along with the nuclear and energy sectors, the main targets of the attacks seem to be government organizations, military and defense contractors, Tibetan communities, and the space and aviation industry, Trend Micro researchers said.

The company is in the process of notifying compromised parties, but in some cases the task is not so easy because the victims are not easy to identify.

The attacks start with a cleverly designed email that carries malicious attachments, the researchers said.

For instance, the message that targets Tibetan communities reads something like this:
“As you all are aware the Second Special General Meeting of Tibetans to discuss ways and means to deal with the urgent and critical situation inside Tibet will be held at Dharamshala from 25-28th September, 2012.

The attachment, a document named Special General Meeting.doc, carries a Trojan which exploits a vulnerability in Microsoft Office in order to drop a backdoor on the infected computer.

Once it’s settled on a system, the malware communicates with its designated C&C server, allowing the cybercriminals to take complete control of the machine.

“The communication between this variant of Enfal and previous ones is different. The names of the files requested on the C&C server have been changed, and so has the XOR value used to encrypt the communications. In addition, all the communication is XORed,” said Nart Villeneuve, senior threat researcher at Trend Micro.

The modifications made to the traditional variant show the masterminds of the campaign are trying to bypass security mechanisms such as network monitoring and IDS.



Leave a Reply

You must be logged in to post a comment.