The Red October espionage malware campaign is providing security researchers with a deep dive into the complexity of targeted attacks, which in this case made use of more than 1,000 malware modules for everything from reconnaissance on targets to exfiltration of data to command and control servers.
The moving parts behind Red October are vast and have been under wraps for the better part of five years, Kaspersky Lab researchers revealed this week. The attackers behind this campaign targeted victims in 39 countries, primarily diplomats, researchers and military facilities among other institutions since August 2007. They stole reams of data and used exploits for known Microsoft vulnerabilities, constantly uploading their loot to a network of 60 command and control servers—a number that rivals the 90-plus domains used by the Flame cyberespionage campaign.
Kaspersky was able to sinkhole a half dozen of those domains and watch over a two-month period 250 unique IP addresses connect more than 55,000 times. What they found was a fascinating mix of tasks mandated by the attackers, some of which remained persistent on compromised machines, while others were one-time operations. Most noteworthy is that attacks were tailored for particular victims, each with a unique identifier that enables the attacker to cobble together a complete picture of the victim’s system configuration, browsing habits and more and manage each attack individually if need be.
“This campaign is extraordinary in terms of the amount of effort that was invested to tailor the attack toolset for victims’ environments,” said senior security researcher Kurt Baumgartner.
Most of the tasks assigned by the attacker via backdoors installed during initial infection are one-time operations delivered by a portable executable (PE) DLL that are executed in memory and discarded, Kaspersky said today in an expanded report on the campaign.
Other tasks require a persistent presence on a machine and are delivered as PE EXE files. The attackers are using these persistent tasks to continually log keystrokes, record screenshots, retrieve email messages from Outlook or execute malicious payloads embedded in any of the Office-document exploits used to establish backdoor communication with the C&C servers.
Unique among the persistent modules are those that are related to USB drives and mobile devices.
For example, one module will search and extract files and deleted files from a USB drive once it is connected to a compromised machine. Deleted files are restored and exfiltrated. Another module waits for an iPhone or Nokia smartphone to connect to the machine, then grabs device information, including contact information, call history, SMS messages, calendars and more. There is also a Windows Mobile module, which once one of those devices connects, infects the phone with a mobile version of the malware.
The campaign also targets documents with the acid* extension, which Kaspersky said refers to the classified Acid Cryptofiler software used by the European Union and NATO.
“There is an incredible amount of functionality here that is new,” Baumgartner said. “It’s unusual to see it all in one campaign.”
Some of the one-time tasks include: collecting device hardware and software specs; filesystem and network share information; collecting information on installed software, including Oracle Database, messaging software and drivers and software for mobile devices and USB drives; extraction of browsing history from all leading browsers, saved passwords for websites, mail and IM accounts, Windows account hashes, and Outlook account information. Others include the ability to download files from FTP servers reachable from the infected machine, writing and executing code from the attacker, doing network scans and dumping configuration data from Cisco devices, and doing a network scan for other computers on the network vulnerable to the same exploit used by Conficker (MS08-067).
In all there are nine module groups discovered in this campaign: reconnaissance; password or credential harvesting; email; USB drive; keyboard; persistence; propagation; mobile; and data exfiltration.
Kaspersky was alerted to the Red October campaign by a partner reporting a spear phishing campaign. Four exploits have been used in the attack, on targeting CVE-2009-3129 using a malicious Microsoft Excel document, two others are Word docs exploiting CVE-2010-3333 or CVE-2012-0158. The fourth is a Java exploit discovered by researchers at Seculert. All of the Office exploits were used in previous attacks against Tibetan activists and military and energy targets in Asia, Kaspersky said.
Most of the 60 C&C domains are in Russia and Germany while the victims are worldwide with most of the IP addresses connecting from Switzerland, Kazakhstan, Greece and Belarus. The attacks have not been attributed as of yet. A heat map of the attacks showed victims across the globe, but none in China leading to speculation the Chinese could be behind the campaign. But Kaspersky researcher Costin Raiu cautioned today on the Digital Underground podcast that because the company was able to sinkhole only six domains, they may not be seeing the complete infection picture.
The campaign, meanwhile, may be shutting down, Raiu said, adding that the infrastructure is being taken off line with registrars killing the 60 domains and hosting companies killing the C&C servers.