In 2013, the Red October Attack was discovered by Kaspersky which was successful sine 2007. This malware attack infiltrated computer networks at diplomatic, governmental and scientific research organisations, gathering data and intelligence from mobile devices, computer systems and network equipment. The Red October Cyber-attack targets workstations, mobile devices such as smart phones, enterprise network equipment like cisco, removable disk drives.
IMPACT OF RED OCTOBER ATTACK
According to Kaspersky researchers, the victims of this attack were divided in 8 groups which are:
- Embassies and Diplomatic Agencies
- Universities and Research Firms
- Commercial Organisations
- Nuclear Energy Labs
- Oil and Gas Companies
- Aerospace Institutions
Their goal was to gather sensitive files from the compromised organisations like geopolitical intelligence, credentials of high profile and significant persons, and the data from personal mobile devices and network equipment. It also recovered the deleted files by using a custom file recovery procedure.
This malware was able to install any of the 34 modules after the initial infection. Following figure is the summary of types of modules, their names and functions:
Figure 1 Red October Modules
Following are the extensions of files and documents which were targeted by the Red October:
txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa.
Type of Attackers
According to the researchers, ROCRA exploits appear to be created by Chinese hackers. Moreover, the malware modules were created by Russian-speaking operatives.
Scalability of Red October
The Kaspersky Security Network (KSN) performed sinkhole analysis from November 2, 2012 to January 10, 2013. The team found more than 55000 connections from 250 various infected IP addresses which were registered in 39 countries. Most of the infected IP connections were located in Switzerland, followed by Kazakhstan and Greece. Moreover, the majority infections were located in Eastern Europe, but infected machines were also found in North America and Western Europe.
Figure 2 Red October Infection Map
Level of Technical Sophistication
To create this cyber-attack, the attacker must be experienced in Malware analysis and Trojan Coding. The attacker must be able to understand and use both High Level & Low-Level Programming, fundamentals of networking, operating system fundamentals and how to perform reconnaissance using internet. The attacker must also be expert in Assembly Language and malware tools. Following table shows few of the tools used by Malware Experts:
- Disassembler – IDA Pro
- Debugger – OllyDbg, WinDbg
- System Monitor – Process Monitor, RegShot. Process Explorer
- Network Monitor – TCP View, Wireshark
- Packer Identifier – PEID
- Unpacking Tools – Qunpack. GUNPacker
- Binary Analysis Tools – PE Explorer, Malcode Analysts Pack
- Code Analysis Tools – LordPE, ImpRec
The RED OCTOBER attackers performed detailed reconnaissance before launching the attack. They used various modules which could gather overall information about their targets. These modules were able to identify the vulnerable machines in the network and to evaluate the potential of the valuable informatics data. This also helped them to decide which exploits and modules to use on that particular machine during the attack. For example, Kaspersky researchers found that the attackers used a module to scan the Local Area Network (LAN) to find machines which are vulnerable for MS08-06.
ROCRA used spear phishing in its initial infection of the targeted machine. This spear phishing was targeting specific organisations based on known information. In other words, during reconnaissance, all the information about the target was gathered and then the phishing email was designed according to the target’s interests specifically. The target would open the email and the initial modules were installed on the system.
How the system failed?
If the system security was strong enough that it prevented any kind of installation without user’s permission, then no Red October infection module would be installed. Therefore, the network machines security should prevent any foreign module to install without proper authentication.
Types of Access Rights Required
The only access the ROCRA malware needed was to install a module on the targeted machine. Once the infection module was installed without any obstacle, it was free to roam around and perform all the tasks and execute various exploit modules.
This attack used known vulnerabilities in Microsoft Office, PDF and JAVA. Some of these vulnerabilities are following:
- Microsoft Excel CVE-2009-3129
- Microsoft Word CVE-2010-3333
- Microsoft Word CVE-2012-0158
- JAVA – Rhino exploit (CVE-2011-3544)
The attackers send the targeted spear-phishing email to the victim which included a customised Trojan Dropper. The user would open the email and click the malicious link and the malware is inserted into your machine. Moreover, it was found that each malware build was unique for each target and each e-mail tailor-made for the target.
The exploits which were used in the spear phishing emails were originally created by other attackers which were used against Tibetan activists as well as military and energy sector targets in Asia. Only the executable file which was embedded in the document used by ROCRA was changed and was replaced by attacker’s own code. For example, Trojan Dropper had one command which changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic Fonts.
Figure 3 Infection of Machine by ROCRA Attack
POINT OF ENTRY
The main point of entry into the infected system is the main malware body which can later download the modules used for lateral movement. Usually, the malware won’t propagate itself after the initial infection instead the attackers first gather all the necessary data and information about the infected network for few days. They identify key systems and deploy the relevant required modules which can compromise other computers in the network like MS08-067 exploit. There were more than 60 different domains hardcoded in the malware code to communicate with C&C servers.
In other words, the ROCRA framework was designed to execute tasks which are ordered by C&C servers. Most of these tasks are one-time PE DLL libraries which are send by the server, executed in memory and then discarded immediately. However, there are several tasks which need to remain in the system for example, waiting for IPHONE or NOKIA phone to connect. Such tasks are in the form of PE EXE files and are installed in the infected machine.  Moreover, ROCRA Malware contained the components which infected machines on the local network without any initial phishing attack.
ROCRA assigned each infected machine with its own Unique ID. This enabled the attackers to learn about their targets behaviours and patterns and then tailor their attacks accordingly. The attackers installed the malware in PDF and OFFICE plugins to enable themselves to regain communication with the machine if by any chance malware has been uninstalled.
Command and Control of ROCRA
The Kaspersky researchers attempted to locate the Command and Control of ROCRA malware. The domains which they found were pointing to such IP addresses which were proxies. During the investigation, all of the requests were reported to be forwarded to port 40080 using Socat tool. Although the team confirmed that they found total 10 various proxy servers which point to 3 “mini-motherships”. But the team was unable to verify that whether these mini motherships were actually the end points or proxies themselves. Socat is a network utility similar to netcat. Socat supports ipv6 and SSL and is available for both windows and Linux.
If you like this post then kindly share it as much as possible, it will encourage us!