Meet Red October, the latest cyber-spy malware for digital espionage

In October 2012, Kaspersky Lab began looking into yet another digital espionage attack that has been ongoing since 2007. Yesterday, the security firm said the “Red October” campaign targeted “diplomatic and governmental agencies of various countries across the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets” for the last five years. However, “Kaspersky Security Network (KSN) detected the exploit code used in the malware as early as 2011.”

The Stuxnet virus was out to sabotage critical infrastructure. Duqu, Gauss and Flame were stealers of information. The Red October attackers also designed the “Rocra” malware for digital espionage, but unlike the automated Flame or Gauss cyber espionage campaigns, the initial documents in the Rocra attacks, according to Kaspersky, were fine-tuned specifically for the victims. It also included some very unique modular architecture such as the “advanced cryptographic spy-modules” with the ability to defeat Acid Cryptofiler encryption used by NATO and some government agencies, as well as a “resurrection module” as a “foolproof” way to “resurrect” infected machines.

Among the key Red October findings, Kaspersky wrote:

Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.

H.D. Moore, Rapid7 chief security officer, was interested in the fact that Red October could undelete previously deleted data from USB drives. Moore told NBC News, “The threat is that USB drives are often shared between people, especially at conferences. Even if you take precautions to delete files and you trust the person you are sharing this with, this malware would be able to automatically recover deleted files and siphon them off without either party being aware.”

According to the Kaspersky Lab image showing the first stage of Red October attacks and Kaspersky’s first report:

There is a notable module among all others, which is essentially created to be embedded into Adobe Reader and Microsoft Office applications. The main purpose of its code is to create a foolproof way to regain access to the target system. The module expects a specially crafted document with attached executable code and special tags. The document may be sent to the victim via e-mail. It will not have an exploit code and will safely pass all security checks. However, like with exploit case, the document will be instantly processed by the module and the module will start a malicious application attached to the document.

This trick can be used to regain access to the infected machines in case of unexpected C&C servers shutdown/takeover.

Looking at the Operation Red October map of countries with infections, China seems to be unaffected and uninfected. Although Kaspersky found “malware modules that have been created by Russian-speaking operatives,” the “exploits appear to have been created by Chinese hackers.” Yet Kaspersky doesn’t believe this cyberattack was sponsored by a nation state. “Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere.”

Kaspersky Lab plans to publish part two of its Operation Red October report with the detailed technical findings this week. In the security firm’s initial public notification, it listed these examples of Rocra malware “persistent” tasks:

• Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser
• Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history
• Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component
• Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
• Record all the keystrokes, make screenshots
• Execute additional encrypted modules according to a pre-defined schedule
• Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials

Some examples of “one-time” tasks revealed by Kaspersky included extracting Chrome, Firefox, Internet Explorer and Opera browsing history, Windows account hashes for offline cracking, Outlook account info, and saved passwords for websites, FTP servers, mail and IM accounts. Rocra also collected “information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives.”

As Ars Technica pointed out, the malware behind Red October relied in part on a critical Java vulnerability. Aviv Raff, a researcher with Israel-based Seculert, said the attackers used a PHP script to exploit a hole in Java framework and then secretly executed malicious code on some of the victims’ machines. Even though Oracle had issued a patch in October 2011, the attackers exploited it in February 2012.

It’s no surprise that cyber espionage like other digital attacks exploit vulnerabilities in Java and Windows. It serves as yet another reason to stay on top of the painstaking time-sink of patching holes when updates are made available.

Like this? Here’s more posts:

• Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove
• Police State starts in tiny Arkansas town
• IE fix easily broken; Espionage hacker gang has endless supply of zero-days
• Chrome, Firefox, IE to block fraudulent digital certificate
• Don’t faint: Microsoft applauds hacker for Windows RT jailbreaking attempt
• Oracle releases emergency Java patch; experts warn flaws may take 2 years to fix
• Valve’s Steam Box controllers may use biometrics and gaze tracking
• 20 Seconds to jailbreak Windows RT
• Intelligence report predicts IT in 2030, a world of cyborgs with Asia as top power
• Unpatched TRENDnet IP cameras still provide a real-time Peeping Tom paradise

Follow me on Twitter @PrivacyFanatic