IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Enfal threat still causing havoc to businesses after seven years of mayhem
Tue, 19th Jul 2016
FYI, this story is more than a year old

Verint Systems has highlighted the continued threat of the Enfal malware, which has been lurking since 2004 but has been increasingly dangerous over the past seven years.

The malware has become increasingly adept at morphing to evade detection, and Verint says that Enfal is avoiding detection by most antivirus and firewall protections. Its most recent transformation added an API name obfuscation and configuration block encryption to slip past security scanners.

Pei Kan Tsung, chief cyber researcher at Verint Systems, says, "Analysis of the patterns and indicators confirmed that Enfal's core remains the same, allowing it to maintain a backdoor to any system it has already infiltrated or the new systems it infiltrates."

Verint's full report details how the Enfal malware works, including the "decade plus-long" sample list which will allow cyber security providers to add protection against the malware.

The initial Enfal malware attacks targeted the United States, Europe and Asia, while last year the focus remained on Asia but also moved south to Indonesia, suggesting that the entire Asia Pacific region, including Australia and New Zealand, may soon be targets.

The Enfal attacks have been found in businesses, as well as in Taiwanese government units.

"In some cases, the same computers appeared in the lists for both 2008 and 2015, leading the team to believe that Enfal may have been lurking within these units for seven years without being discovered," Tsung says.

Verint believes there are connections between the Enfal malware and the Taidoor APT backdoor groups, which use Taidoor malware in cyberespionage campaigns against corporations and governments with active interests in Taiwan.

Taidoor backdoors reportedly scan Enfal's Command and Control IP, which Verint says might mean that the two malwares use the same protocol and therefore belong to the same group. This method maximises investment while minimising effort, making them both an effective cyberespionage method.