Cyber espionage against Governments of many countries. Kaspersky research lab was the first to found the threat. During the past five years, a high-level cyber-espionage campaign has been running successfully.And stealing classified and sensitive information. It’s suspected that the attack is either from Russian or Chinese hackers.
The Red October targeted number of
- Diplomatic / embassies
- Research institutions
- Trade and commerce
- Nuclear / energy research
- Oil and gas companies
The attack spread from a rtf file (word file) that had the infection.
The exploits used for the attack were:
- CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]
- CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]
- CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]
Interestingly the name Red October was inspired from the novel “The Hunt For The Red October” and it was named so probably because it started on the month of October.
Interesting text from the malware, misspelt words and typos.
network_scanner: “SUCCESSED”, “Error_massage”, “natrive_os”, “natrive_lan”
imapispool: “UNLNOWN_PC_NAME”, “WinMain: error CreateThred stop”
mapi_client: “Default Messanger”, “BUFEER IS FULL”
msoffice_plugin: “my_encode my_dencode”
winmobile: “Zakladka injected”, “Cannot inject zakladka, Error: %u”
PswSuperMailRu: “——-PROGA START—–“, “——-PROGA END—–”
The C++ class that holds the C&C configuration parameters is called “MPTraitor” and the corresponding configuration section in the resources is called “conn_a”. Some examples include:
Information stolen from infected systems includes documents with extensions:
txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,
cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca,
aciddsk, acidpvr, acidppr, acidssa.
A list of MD5s of known documents used in the Red October attacks: