Threat Intelligence, Malware, Vulnerability Management

Red October spy ring also used “Rhino” Java exploit

A cyber espionage campaign that was recently unearthed by researchers used a now-patched vulnerability in Java software as another tool to exploit victims' machines.

Security firm Seculert published a blog post Tuesday saying that the "Red October" spy campaign, in addition to leveraging weaknesses in Microsoft Office, also spread malware by taking advantage of a Java flaw in the Rhino Script Engine, CVE-2011- 3544, fixed in October 2011.

“After investigating the command-and-control servers used in the Red October campaign, Seculert identified a special folder used by the attackers for an additional attack vector,” said the blog post. “In this vector, the attackers sent an email with an embedded link to a specially crafted PHP web page. This web page exploited a vulnerability in Java...and in the background downloaded and executed the malware automatically.”

Seculert researchers believe the Java exploit tactic was used in February 2012.

On Monday, Kaspersky announced that a trojan known as Rocra was being used in an ongoing operation targeting high-level entities across several industries, including governments and embassies. Over at least five years, infections have primarily hit organizations in Eastern Europe, but have also been dispersed throughout Central Asia, North America and Western Europe.

Kaspersky found that Rocra was delivered in attached Microsoft Word or Excel files sent to specific individuals at organizations via spear phishing attacks. Rocra exploited three Office vulnerabilities: CVE-2010-3333, CVE-2012-0158, and CVE-2009-3129, which all have available patches.

In a Wednesday blog post, Kaspersky also said the Java attack vector had been used by Red October perpetrators, but that they likely used that exploit less frequently than the Office bugs.

Throughout the campaign, Rocra has infected workstations as well as mobile devices that were connected to compromised machines, impacting organizations across the globe, including 35 in Russia, 21 in Kazakhstan and six in the United States.

Named after the submarine in Tom Clancy's novel The Hunt for Red October, the campaign deploys malware to steal sensitive information, including files encrypted by Acid Cryptofiler, classified software used to safeguard confidential data maintained by such organizations as the European Union, the North Atlantic Treaty Organization (NATO) and European Parliament.

“We could speculate that the group successfully delivered their malware payload to the appropriate target(s) for a few days, then didn't need the effort any longer,” the Kaspersky blog post said of the Java attack method. “[This] may also tell us that this group, which meticulously adapted and developed their infiltration and collection toolset to their victims' environment, had a need to shift to Java from their usual spear phishing techniques in early February 2012."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.