Security researchers have published a detailed analysis of the custom malware used in a cyber espionage campaign targeting diplomatic, governmental and scientific research organisations.
The “Red October” campaign centres on the Rocra malware used to infect victims’ systems, collect data from different sources and send it to command and control (C&C) servers.
The first report by the researchers covered the anatomy of the attack, a timeline of the operation, the geographical distribution of victims, sinkhole information and an overview of the C&C infrastructure.
The new analysis describes all malicious modules and their functionality. Researchers at security firm Kasperky Lab claim the analysis is the most detailed of a cyber espionage campaign to date.
The analysis was enabled, they said, by setting up several fake victims around the world and monitoring how the attackers handled them over the course of several months.
Based on the analysis of known cases, Kasperky researchers identified two main ways through which the Rocra malware infects the victims' computers.
Read more on cyber security
- UK to launch public cyber security awareness campaign
- Israel launches cyber warfare training programme
- Half of companies lack cyber threat knowledge
- Top cyber threats underline need for security awareness
- Cyber security at US energy agency found wanting
- Red October Malware shows attribution complexity
Both methods rely on spear-phishing e-mails which are sent to prospective victims. The e-mails contain an attachment which is either an Excel or Word document with an enticing name.
The report notes that the Excel-based exploit, CVE-2009-3129, is the oldest known way for Red October to infect computers.
The Excel-based exploit is detected by Kaspersky products as Trojan-Dropper.MSWord.Agent.ga. It was patched by Microsoft in November 2009, but was apparently used mostly in 2011, with several samples uploaded to VirusTotal by victims.
The Excel file properties for all the exploits indicate it has been edited on a system with Simplified Chinese Excel. The exploit appears to have been compiled on 26 November 2009, the report said.
The Red October XLS CVE-2009-3129 exploit appears to have been originally developed by Chinese hackers. It was also used in other, unrelated attacks against Tibetan activists and other entities. Its main purpose is to drop and execute a Trojan.
The same exploit/dropper has been observed in many other targeted attacks, for instance against Tibetan activists. It appears to be of Chinese origin just as the XLS exploit, the report said.
In November 2012, Kaspersky researchers noticed new attacks using document files that exploit CVE-2012-0158. This exploit was extremely popular with APT attacks during 2012.
“It is perhaps no surprise it was also adopted by the Red October gang,” the report said.
In addition to the exploits, in 140 pages of technical analysis, Kaspersky Lab researchers detail 13 other modules used in the operation.
Earlier in the week, the security firm said that, in collaboration with international organisations, law enforcement agencies and Computer Emergency Response Teams (Certs), it is continuing its investigation of Rocra by providing technical expertise and resources for remediation and mitigation procedures.