Enfal

Enfal, Lurid
(Type: Downloader)

(Trend Micro) The Lurid Downloader, often referred to as Enfal, is a well-known malware family. It is, however, not created with a publicly available toolkit that can be purchased by any aspiring cybercriminal. This malware family has, in the past, been used to target both the U.S. government and nongovernmental organizations (NGOs). However, there appear to be no direct links between this particular network and previous ones.

[News Analysis] Trends:

Total Trend: 7

Trend Per Year
1
2012
2
2015
1
2017
3
2020


Trend Per Month
1
Oct 2012
1
Feb 2015
1
Oct 2015
1
May 2017
2
2020
1
Mar 2020



[News Analysis] News Mention Another Threat Name:

4 - 8.t Dropper4 - BYEBY36 - Enfal4 - Korlia30 - Poison Ivy5 - BS200522 - Mirage5 - RoyalCli5 - Royal DNS5 - APT1510 - 9002 RAT10 - CHINACHOPPER12 - Ghost RAT25 - HttpBrowser10 - HyperBro10 - owaauth25 - PlugX10 - ZXShell10 - APT274 - MimiKatz4 - APT2418 - BlackPOS18 - CryptoLocker18 - Derusbi18 - Elise18 - EvilGrab18 - Gameover P2P18 - Medusa18 - Naikon18 - NetTraveler18 - pirpi18 - Sakula RAT18 - Sinowal20 - sykipot20 - taidoor4 - Gh0stnet4 - Nitro


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
0/36
persistence
0/113
privilege escalation
0/96
defense evasion
0/184
credential access
0/63
discovery
0/44
lateral movement
0/22
collection
1/37
command and control
1/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1560
Archive Collected Data
T1573.001
Encrypted Channel : Symmetric Cryptography


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Article (Credit @Malpedia)

Vicious Panda: The COVID Campaign

2020-03-12 by Check Point Research from Check Point

BRONZE PALACE

2020 by SecureWorks from Secureworks

BRONZE UNION

2020 by SecureWorks from Secureworks

PittyTiger

2017-05-31 by MITRE ATT&CK from MITRE

How to Write Simple but Sound Yara Rules – Part 2

2015-10-17 by Florian Roth from BSK Consulting

CrowdStrike Global Threat Intel Report 2014

2015-02-06 by CrowdStrike from CrowdStrike

Detecting APT Activity with Network Traffic Analysis

2012-10-23 by Nart Villeneuve from Trend Micro

Basic Information (Credit @etda.or.th)

Tool: Enfal

Names: Enfal, Lurid

Description: (Trend Micro) The Lurid Downloader, often referred to as Enfal, is a well-known malware family. It is, however, not created with a publicly available toolkit that can be purchased by any aspiring cybercriminal. This malware family has, in the past, been used to target both the U.S. government and nongovernmental organizations (NGOs). However, there appear to be no direct links between this particular network and previous ones.

Category: Malware

Type: Downloader

Information: https://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-exposes-lurid-apt/

Information: https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/

Information: https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/

Mitre-attack: https://attack.mitre.org/software/S0010/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:enfal

Last-card-change: 2020-05-13

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1560
ARCHIVE COLLECTED DATA
lurid can compress data before sending it.
T1573.001
ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY
lurid performs xor encryption.