By Pei Kan Tsung, Chief Cyber Researcher, Verint Systems
The Enfal malware, first spotted in 2004, is more dangerous than ever given its ability to morph over time often enough to evade detection.
Recent analysis by the Verint Cyber Intelligence research team shows that Enfal is still evolving, continuing to elude detection from most antivirus and firewall protection technologies. Most recently, it’s added an API name obfuscation technique and configuration block encryption method to get past security protection.
Analysis of the patterns and indicators confirmed that Enfal’s core remains the same, allowing it to maintain a backdoor to any system it has already infiltrated or the new systems it infiltrates.
The Verint team has taken its research a step further for the betterment of the entire IT security protection market. In the latest report, we’ve provided full disclosure of Enfal communication protocols as well as the back end. The decade plus-long Enfal sample list gives cyber-protection companies the ability to add in protection and discovery for the Enfal malware still lurking within.
Enfal Travels the World and Invades at Will
Enfal has had a broad geographic range. As part of the long-term analysis, the team reviewed the compromised data beginning from 2008 and found that the initial attacks were mostly targeted at the U.S., European, and Asian countries, such as China and Taiwan.
Fast forward to 2015, and the majority of compromised countries are still in Southeast Asia, with the notable additions of Ethiopia and Brazil. In 2015, the attacks were directed at Taiwan, Indonesia, Malaysia, and Korea, mostly targeting diplomatic organizations and NGOs. In some cases, the same computers appeared in the lists for both 2008 and 2015, leading the team to believe that Enfal may have been lurking within these units for seven years without being discovered.
Attesting to the stealthiness of the Enfal malware, these organizations were completely unaware they were under attack prior to notification from the team. Some of these organizations had been compromised since the beginning of Enfal’s active period.
In March of 2016, Enfal activities were once more discovered in Taiwan government units. Some changes were made to the communication URL, but otherwise most functions remained the same.
The Enfal Evildoers
The research revealed deep connections between Enfal and the notorious Taidoor APT backdoor groups. Since 2008, Taidoor malware has been used in cyberespionage campaigns launched against corporations and government agencies with interests in Taiwan. During our research, we came across some Taidoor backdoors that scan the availability of Enfal’s Command & Control (C2) IP, implying that the two malwares may use the same C2 protocol, potentially belonging to the same group and sharing the same C2 server – maximizing investment while minimizing effort – a goal of every cybercriminal.
Meanwhile, the PittyTiger APT campaign exposed by Airbus Defense and Space in 2014, which targeted private sector and government organizations, featured a RAT that used the Enfal protocol for communications, but with RC4 algorithms to encrypt data. This variant of the Enfal malware was named MM RAT.
The More Things Change, the More Things Stay the Same
Using its forensics technology, the Verint team cross-checked the basic timestamp metadata (create time, last access, last write) against other data sources to confirm that the metadata had been tampered with and that this tampering most likely took place on March 1, 2016. To date, this malware has not yet been seen on VirusTotal.
A comprehensive picture of Enfal’s communications protocols and backend functionality is available here.
Pei Kan Tsung is Chief Cyber Researcher at Verint Systems.