by Constantine von Hoffman

Powerful ‘Red October’ Malware Attacks Gov’t, Industry

Jan 14, 20133 mins
CybercrimeData BreachIntrusion Detection Software

Kaspersky Labs says new "Red October" malware is as sophisticated as Flame, and it may have been created by criminals—not a nation or country.

Researchers at Kaspersky Labs identified an incredibly-sophisticated advanced-cyber-espionage network that tarrgets diplomatic and government agencies. The malware has been dubbed “Red October,” or Rocra.

It has been running for at least five years and during that time it has “successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.”

Kaspersky says Rocra rivals the Flame malware in complexity, and it contains exploits created by Chinese hackers and malware modules created by people who speak Russian. The company believes it is likely not the work of a nation-state, suggesting that criminals have created malware that’s every bit as powerful as government-made malwaree.

 “The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world. Information harvested from infected networks is reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server.

“The attackers created a multi-functional framework which is capable of applying quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.

“Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.”

Rocra is known to have targeted the following industries and entities:

  • Government
  • Diplomatic/embassies
  • Research institutions
  • Trade and commerce
  • Nuclear/energy research
  • Oil and gas companies
  • Aerospace
  • Military

Rocra’s main malware body works as a point of entry into the system which can later download modules used for lateral movement. After initial infection, the malware won’t propagate by itself—typically, the attackers gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, by using the MS08-067 exploit, for instance. In general, the Rocra framework is designed for executing “tasks” that are provided by its C&C servers. Most of the tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and then immediately discarded.

Ocra has been found on hundreds of computers around the world–including computers in the United States—with the largest number of attacks hitting Russia, Kazakhstan, Azerbaijan, Belgium and India. Interestingly China does not appear to be on the list of nations frequently hit by Rocra. Also worth noting: The exploits from the documents used in spear phishing were created by others and used during cyberattacks against Tibetan activists and military and energy targets in Asia.