January 15, 2013
A global spy ring targeting governmental, diplomatic and scientific research organization computer networks has been uncovered by Kaspersky Lab.
Known as Red October, or Rocra for short, the malware has targeted specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but it has also hit Western Europe and North America, according to a post on SecureList, Kaspersky Lab’s blog.
“Red October is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware,” the blog post reads. “Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.”
Kaspersky Security Network compiled a list of countries with the most infections as seen below.
|IRAN; ISLAMIC REPUBLIC OF||7|
|UNITED ARAB EMIRATES||5|
The malware is sent by means of a spear-phishing e-mail to target specific victims within an organization. Once downloaded, the infected files release a trojan on the PC which then scans the local network to uncover other computers vulnerable to the same attack.
The malware downloads modules that can later perform a number of “tasks,” often as .dll libraries. The infected device will then obey instructions from the command center and then immediately destroy the evidence.
Modules are also often installed on an infected system to steal data from Windows Mobile devices, iPhones and Nokia handsets. Once a mobile device is connected to the victim’s machine, the modules start collecting data from the phone.
“During our investigation, we’ve uncovered over 1,000 modules belonging to 30 different module categories,” the blog reads. “These have been created between 2007 with the most recent being compiled Jan. 8, 2013.”
Information collected from infected networks is often reused in later attacks, according to Kaspersky. In one instance, stolen credentials were stockpiled for use when the attackers needed to guess passwords and network credentials in other locations.
Red October is able to spy and steal in a number of ways, which Kaspersky has broken down into two groups: persistent tasks and one-time tasks.
Examples of persistent tasks:
• Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser.
• Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history.
• Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component.
• Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine.
• Record all the keystrokes, make screenshots.
• Execute additional encrypted modules according to a pre-defined schedule.
• Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials.
Examples of one-time tasks:
• Collect general software and hardware environment information.
• Collect file system and network share information, build directory listings, search and retrieve files by mask provided by the C&C server.
• Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives.
• Extract browsing history from Chrome, Firefox, Internet Explorer, Opera.
• Extract saved passwords for Web sites, FTP servers, mail and IM accounts.
• Extract Windows account hashes, most likely for offline cracking.
• Extract Outlook account information.
• Determine the external IP address of the infected machine.
• Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials.
• Write and/or execute arbitrary code provided within the task.
• Perform a network scan, dump configuration data from Cisco devices if available.
• Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability.
• Replicate via network using previously obtained administrative credentials.