News Feature | August 1, 2016

Morphing Enfal Malware Remains Dangerous

Christine Kern

By Christine Kern, contributing writer

Enfal Malware

New report finds that Enfal is still evolving with a new API name obfuscation technique

The Enfal malware, which was first identified in 2004, is more dangerous than ever given its ability to morph over time often enough to evade detection according to analysis from the Verint Cyber Intelligence research team.

Enfal is still evolving, continuing to elude detection from most antivirus and firewall protection technologies. While its core remains the same, it has added an API name obfuscation technique and configuration block encryption method to get past security protection. Enfal is able to maintain a backdoor to any system it has infiltrated.

The latest report also provides full disclosure of Enfal communication protocols as well as the back end. The decade plus-long Enfal sample list gives cyber-protection companies the ability to add in protection and discovery for the Enfal malware still lurking within.

The report found that, while the initial attacks targeted U.S., European, and Asian countries, its reach is global. In 2015, the majority of compromised countries were still in Southeast Asia as well as Ethiopia and Brazil. The data also suggests that the malware may have been lurking within computers for seven years before being discovered.

According to Pei Kan Tsung, Chief Cyber Researcher, Verint System, “Attesting to the stealthiness of the Enfal malware, these organizations were completely unaware they were under attack prior to notification from the team. Some of these organizations had been compromised since the beginning of Enfal's active period.”

The data also revealed deep connection between Enfal and Taidoor APT backdoor groups, as well as the fact that the PittyTiger APT campaign featured a RAT that leveraged the Enfal protocol for communications with RC4 algorithms to encrypt data. This Enfal variant was named MM RAT.

The report concluded, “The longevity of the Enfal malware is legendary — its APT backdoors have been active since 2004. Yet, unlike other APT backdoors that were only active during certain periods or attacks, revision of this malware continue to appear on a consistent basis from 2008 until 2016. Based on our attack target analysis, we can see the global dispersion of Enfal’s operations. Because of its simple yet precise characteristics, and its unsynchronized command downloads from servers, Enfal’s C2 communications cannot be easily detected on compromised computers using standard traffic anomaly-based techniques. As a result, even if many compromised devices have undergone system upgrades, they are still being attacked year after year.”

The report, which presents a complete observation and analysis of the malware of an extended period of time, provides a resource for cybersecurity to help uncover and disarm Enfal. The report states, “By enabling a deeper understanding of the tools, tactics and procedures used by this sophisticated and evasive malware, we believe that security organizations worldwide will be able to improve their defense posture and prepare more effective countermeasures against the likes of Enfal and other complex cyber attacks.”

A comprehensive picture of Enfal’s communications protocols and backend functionality is available from Verint here.