Red October - Aurora cannons are no longer fired!

Kaspersky Lab today released a new report identifying a new cyber espionage attack that has been attacking diplomatic, governmental and scientific research organizations worldwide for at least five years. The series of attacks is primarily aimed at Eastern European countries, members of the former Soviet Union and Central Asia, but incidents occur everywhere, including Western Europe and North America.

The attackers aim to steal critical documents from organizations, including geopolitical information, authentications required to access computer systems, and personal data from mobile devices and network equipment.

In October 2012, Kaspersky Lab experts launched an investigation against a series of attacks targeting the computer systems of international diplomatic organizations, during which they uncovered a large-scale cyberespionage network. According to Kaspersky Lab's report, the Red October operation, which was given the name "Rocra" for short, is still active, and its beginning dates back to 2007.

Main research results:

Red October is an advanced cyberespionage network: The attackers have been active since at least 2007 and primarily focus on diplomatic and government agencies around the world, as well as research institutes, energy and nuclear groups, and commercial and aviation organizations. Red October criminals have developed their own malware, which Kaspersky Lab identified as "Rocra". This malicious program has its own, unique modular structure with malicious extensions, modules specialized for data theft and so-called "backdoor" trojans, which provide unauthorized access to the system and thus enable the installation of additional malware and the theft of personal data.

Attackers often use information extracted from infected networks to gain access to additional systems. For example, stolen authentications can provide clues to passwords or phrases required to access additional systems.

To control the network of infected machines, the attackers created more than 60 domain names and several server hosting systems in different countries, most of them in Germany and Russia. An analysis of Rocra's C&C (Command & Control) infrastructure showed that the chain of servers was actually acting as a proxy to hide the location of the "mothership", i.e. the control server.

Documents containing stolen information from infected systems have the following extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. The "acid" extension may refer to "Acid Cryptofiler" software, which is used by many institutions from the European Union to NATO.

Victims

To infect the system, criminals sent targeted “spear-phising” emails to the victim with a personalized Trojan “dropper,” a virus that could reproduce on its own. To install the malware and infect your system, the malicious email contained exploits that exploited vulnerabilities in Microsoft Office and Microsoft Excel. The exploits in the phishing message were created by other attackers and used during various cyber attacks, including Tibetan activists and military and energy targets in Asia. The only thing that makes the document used by Rocra different is the embeddable executable file that the attackers replaced with their own code. Notably, one of the commands in the Trojan dropper changed the command line's default system code page to 1251, which is required for the Cyrillic font.

Targets

Kaspersky Lab experts used two methods to analyze the targets. On the one hand, they are based on Kaspersky Security Network (KSN) cloud-based security service discovery statistics, which Kaspersky Lab's products use to report telemetry and provide advanced protection using blacklists and heuristic rules. As early as 2011, KSN detected the exploit code used in the malware, which triggered an additional monitoring process related to Rocra. The researchers ’second method was to create a so-called“ sinkhole ”system that could be used to track the infected system that was connected to Rocra’s C&C servers. The data obtained by the two different methods independently confirmed the results.

• KSN Statistics: The KSN has discovered hundreds of unique infected systems, most involving embassies, government networks and organizations, scientific research institutes, and consulates. According to data collected by KSN, the majority of infected systems originated in Eastern Europe, but incidents have also been identified in North America and Western European countries, Switzerland, and Luxembourg.
• Sinkhole statistics: Kaspersky Lab's sinkhole analysis lasted from November 2012, 2 to January 2013, 10. During this time, more than 250 connections from 55 infected IP addresses were recorded in 0000 countries. Most infected IP connections came from Switzerland, Kazakhstan, and Greece.

Rocra malware: unique structure and functionality

The attackers have created a multifunctional platform that includes a number of plug-ins and malicious files to easily adapt to different system configurations and gather intellectual value from infected machines. This platform is unique to Rocra, Kaspersky Lab has not seen anything similar in previous cyber espionage campaigns. Its main features are:

• “Resurrection” module: This unique module allows attackers to resurrect infected machines. The module is embedded as a plug-in in Adobe Reader and Microsoft Office installations and provides a fail-safe way for criminals to regain access to a targeted system if the main malware body is discovered and removed, or if system vulnerabilities are patched. Once the C&Cs are working again, the attackers send a special document file (PDF or Office) to the victim's machine via email, which reactivates the malware.
• Advanced Spy Modules: The main purpose of spy modules is to steal information. This includes files from various encryption systems, such as Acid Cryptofiler, which is used by organizations such as NATO, the European Union, the European Parliament and the European Commission.
• Mobile devices: In addition to attacking traditional workstations, malware can also steal data from mobile devices such as smartphones (iPhone, Nokia, and Windows Mobile). In addition, the malware collects configuration data from deleted files from corporate network devices such as routers, switches, and removable hard drives.

About the attackers: Based on the registration data of the C&C servers and a number of remnants found in the executable files of the malware, strong technical evidence points to the Russian origin of the attackers. In addition, the executable files used by criminals have been unknown until now, and Kaspersky Lab experts did not identify them in their previous cyber espionage analyzes.

With its technical expertise and resources, Kaspersky Lab will continue to investigate Rocra in close cooperation with international organizations, law enforcement agencies and National Network Security Centers.

Kaspersky Lab would like to thank the US-CERT, the Romanian CERTs and the Belarusian CERT for their assistance in the investigation.

Kaspersky Lab's products, classified as Backdoor.Win32.Sputnik, have been successfully detected, blocked and restored.