According to David Sancho and Nart Villeneuve, approaching 1,500 systems have been tracked as compromised, with the bulk of the compromised servers being in Russia, Kazakhstan and Vietnam, as well as a smattering of former states in the USSR sphere of influence.
This particular campaign, they assert, consists of more than 300 malicious, targeted attacks, monitored by the attackers using a unique identifier embedded in the associated malware.
“Our analysis of the campaigns reveals that attackers targeted communities in specific geographic locations as well as campaigns that targeted specific victims. In total, the attackers used a command and control network of 15 domain names associated with the attackers and 10 active IP addresses to maintain persistent control over the 1465 victims”, they say in their security posting.
The `Lurid Downloader ' - aka Enfal – is a well-known malware family but it is not a publicly available toolkit that can be purchased by aspiring cybercriminals, say the researchers.
This malware family, they add, has in the past been used to target both the US public and private sector agencies, although there appear to be no direct links between this particular network and the previous ones.
Interestingly, the researchers say that these types of attacks are being described as APTs - Advanced Persistent Threats – under which a target receives an email message that encourages them to open an attached file.
The files sent by the attackers contain malicious code that exploits vulnerabilities in popular software programs such as Adobe Reader and Microsoft Office, with the payload being malware that is silently executed on the target’s computer.
“This allows the attackers to take control of the computer and obtain data. The attackers may then move laterally throughout the target’s network and are often able to maintain control over compromised computers for extended periods of time. Ultimately, the attacks locate and ex-filtrate sensitive information from the victim’s network”, the researchers note.
“Through the exposure of the Lurid network, we aim to enable a better understanding of the extent and frequency of such attacks as well as the challenges that targeted malware attacks pose for traditional defences”, they say.
Defensive strategies against the campaign, the add, can be dramatically improved by understanding how targeted malware attacks work as well as trends in the tools, tactics and procedures of the threat actors behind such attacks.
“By effectively using threat intelligence derived from external and internal sources combined with security tools that empower human analysts, organisations are better positioned to detect and mitigate such targeted attacks”, the researchers explain.
Over at LogRhythm, Ross Brewer, the audit and log security specialist;s managing director, said that Lurid attack swarm seems to be a classic example of an advanced persistent threat, with hackers launching well targeted and coordinated attacks against high value individuals, and then successfully staying hidden so they could gather confidential information over a period of time.
“It’s probable that the victims had little or no idea that they were being snooped on or that their data was at risk”, he said, adding that, in order to stop these types of attacks from ever gaining a foothold, organisations need to seriously step up their security management.
“As well as the obvious responses, such as patching against vulnerabilities and deploying other point solutions which can help keep out hackers, other approaches are also required if organisations are to detect hackers who have already penetrated their networks”, he said.
“Log data provides vital intelligence in the fight against APTs. Each and every time a file, desktop or server is accessed, data is produced that can be scrutinised to identify patterns of unusual or unauthorised behaviour”, he added.
Brewer concludes that, by automatically collecting, correlating and analysing the log data created across its entire network, an organisation can begin to understand if, what looks on the face of it to be a low level incident, is actually just one small part of a systematic and prolonged attack on its IT infrastructure.”