Red October exploits patched Excel and Word flaws, experts say

The 'Red October' malware campaign uses patched Microsoft Excel and Word flaws to infect victims' computers, reveals analysis from Kaspersky

Security researchers have published a detailed analysis of the custom malware used in a cyber espionage campaign targeting diplomatic, governmental and scientific research organisations.

The “Red October” campaign centres on the Rocra malware used to infect victims’ systems, collect data from different sources and send it to command and control (C&C) servers.

The first report by the researchers covered the anatomy of the attack, a timeline of the operation, the geographical distribution of victims, sinkhole information and an overview of the C&C infrastructure.

The new analysis describes all malicious modules and their functionality. Researchers at security firm Kasperky Lab claim the analysis is the most detailed of a cyber espionage campaign to date.

The analysis was enabled, they said, by setting up several fake victims around the world and monitoring how the attackers handled them over the course of several months.

Based on the analysis of known cases, Kasperky researchers identified two main ways through which the Rocra malware infects the victims' computers.

Both methods rely on spear-phishing e-mails which are sent to prospective victims. The e-mails contain an attachment which is either an Excel or Word document with an enticing name.

The report notes that the Excel-based exploit, CVE-2009-3129, is the oldest known way for Red October to infect computers.

The Excel-based exploit is detected by Kaspersky products as It was patched by Microsoft in November 2009, but was apparently used mostly in 2011, with several samples uploaded to VirusTotal by victims.

Chinese provenance

The Excel file properties for all the exploits indicate it has been edited on a system with Simplified Chinese Excel. The exploit appears to have been compiled on 26 November 2009, the report said.

The Red October XLS CVE-2009-3129 exploit appears to have been originally developed by Chinese hackers. It was also used in other, unrelated attacks against Tibetan activists and other entities. Its main purpose is to drop and execute a Trojan.

The Word-based exploit, CVE-2010-3333, was observed in September and October 2012, although the vulnerability was patched by Microsoft in November 2010.

The same exploit/dropper has been observed in many other targeted attacks, for instance against Tibetan activists. It appears to be of Chinese origin just as the XLS exploit, the report said.

In November 2012, Kaspersky researchers noticed new attacks using document files that exploit CVE-2012-0158. This exploit was extremely popular with APT attacks during 2012. 

“It is perhaps no surprise it was also adopted by the Red October gang,” the report said.

In addition to the exploits, in 140 pages of technical analysis, Kaspersky Lab researchers detail 13 other modules used in the operation.

Earlier in the week, the security firm said that, in collaboration with international organisations, law enforcement agencies and Computer Emergency Response Teams (Certs), it is continuing its investigation of Rocra by providing technical expertise and resources for remediation and mitigation procedures.

Read more on Hackers and cybercrime prevention