"Red October" spy campaign uncovered, rivals Flame virus

Share this article:
Researchers have discovered that various high-level entities – from government bodies and embassies to energy and nuclear research groups – have been the targets of a five-year cyber espionage campaign that remains ongoing.

Organizations left in the path of “Rocra,” malware used in the campaign dubbed "Red October”, include those primarily in Eastern Europe, more specifically, former Soviet republics, though infections also have been scattered throughout Central Asia, North America and Western Europe, according to Kaspersky Lab, which discovered the campaign after an unnamed client requested the firm investigate a spear phishing attack.

Named after the submarine in Tom Clancy's novel The Hunt for Red October, the campaign deploys malware to steal sensitive information, including files encrypted by Acid Cryptofiler, classified software used to safeguard confidential data maintained by such organizations as the European Union, the North Atlantic Treaty Organization (NATO) and European Parliament.

Impacted endpoints include not only workstations, but mobile devices that become infected when users connect them to compromised machines. Kaspersky published a blog post Monday saying 35 organizations were compromised in Russia, 21 in Kazakhstan, and six in the United States.

Rocra makes its way to victims by way of targeted emails crafted for specific individuals within organizations. Attackers attached Microsoft Word or Excel files containing Rocra, which exploits three now-patched vulnerabilities in the programs, CVE-2009-3129 in Excel, CVE-2010-3333 and CVE-2012-0158 in Word.

The malware steals an extensive list of specific types of documents or files, including txt, docx, doc and, more notably, “acid” extensions that denote those created using Acid Cryptofiler software. Rocra is also capable of stealing data from removable disk drives – even files that have been deleted through a recovery process – and emails from Outlook storage and remote or local network servers.

Kaspersky researchers also found the malware was able to “resurrect” on machines where Rocra has been removed, as a module of the trojan is embedded in Adobe Reader and Microsoft Office plug-ins to send a phishing email to victims to start the infection process all over again.

Because of the registration information identified on command-and-control servers, researchers believe Red October attackers are a Russian-speaking group. Perpetrators have used a complex network of servers and more than 60 domain names to hide the whereabouts of their infrastructure.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

Hackers target video game companies to lift copy protections and develop cheats

A threat group is targeting video game companies in order to lift DRM protections, develop cheats and possibly to steal source code.

Android malware spreads via mail tracking SMS spam

The mobile malware is currently targeting German users, McAfee revealed.

About 2,800 victims of worldwide info-stealing campaign targeting various sectors

About 2,800 victims of worldwide info-stealing campaign targeting ...

Unknown attackers have claimed about 2,800 victims in an ongoing information-stealing campaign identified by Kaspersky Lab as "Crouching Yeti."