Trend Micro Exposes LURID Spearphishing Attacks

Trend Micro, a leading security company and distributor of the Iconix products, has uncovered a massive and ongoing series of cyber attacks dubbed Lurid.  Trend Micro provided this overview of Lurid:

Trend Micro has discovered an ongoing series of targeted attacks known as “LURID,” which has successfully compromised 1,465 computers in 61 different countries. We have been able to identify 47 victims, including diplomatic missions, government ministries, space-related government agencies, as well as other companies and research institutions.

The countries most impacted by this attack include Russia, Kazakhstan, and Vietnam, along with numerous other countries mainly Commonwealth independent states (in the former Soviet Union).

This particular campaign comprised over 300 malicious targeted attacks that were monitored by the attackers using a unique identifier embedded in the associated malware. Our analysis of the campaigns reveals that attackers targeted communities in specific geographic locations as well as specific victims. In total, the attackers used a command-and-control (C&C) network of 15 domain names and 10 active IP addresses to maintain persistent control over the 1,465 victims.

How are these bad guys introducing the malware into the targeted computers?

More and more frequently, targeted malware attacks such as these are being described as advanced persistent threats. A target receives an email that encourages him/her to open an attached file. The file sent by the attackers contain malicious code that exploits vulnerabilities in popular software such as Adobe Reader (e.g., .PDFs) and Microsoft Office (e.g., .DOCs).

Spearphishing.  Again.  Just like “Revealed: Operation Shady RAT,” in which McAfee highlighted more than 70 targeted intrusions into governments, corporations and non-profits.  Just like the attack that compromised the RSA security token. The common thread in these security breaches was spearphishing emails that allowed malware to gain entry into the systems. Criminals are moving from high volumes of ineffective emails to small numbers of well-crafted highly personalized messages that are indistinguishable from legitimate email. The problem is no longer recipient gullibility, but the inability to tell good emails from bad emails.

In order to provide a defense against spearphishing, Iconix has added fraud filtering capability to SP Guard^TM, its spear-phishing defense product. Now, in addition to highlighting legitimate messages with an icon in the inbox, enterprises will be able to block fraudulent messages pretending to be from their organization or their trusted partners.