Threat Intelligence

Stealthy ‘Inception’ attack framework detailed; possible return of ‘Red October’ group

Nothing about the newly discovered ‘Inception' attack framework is clear. The malware comes from a spear phishing email, but the email senders remain masked, clouded by intentionally placed clues to throw off anyone keen to their existence. 

They could be in India, as evidenced by the use of Hindi in some of their Android malware. They could be in the Middle East, as evidenced by the use of Arabic in text strings in their BlackBerry malware. They could even be in the U.K. because the string “God_Save_The_Queen” was found in their Blackberry malware.

Wherever they are, one thing is certain: this framework and its perpetrators are taking extreme measures to stay hidden. Their targets aren't exactly low-key, either. Most of the group's endeavors have been aimed at the finance sector in Russia; the oil and energy industry in Romania, Venezuela and Mozambique; and embassies and diplomats from various countries. Blue Coat researchers have detailed their findings on Inception in a recent white paper, and have made clear that this attack has left plenty to investigate.

“They've (the attackers) thrown things in there to throw off anyone that might be onto them,” said Waylon Grange, senior malware researcher, Blue Coat Systems, Inc. in a Tuesday interview with “They have a different malware component attributed to China because they want researchers to believe this is China. Sometimes they have Hindi code or words, but we think it's meant to throw us off. Because they keep putting these red herrings in, it's hard for me to trust any of the hints they've left behind.”

The perpetrators behind ‘Inception' capitalize on two vulnerabilities in Rich Text Format (RTF): CVE-2014-1761 and CVE-2012-0158. Primarily through phishing emails containing a malicious payload that is disguised as a legitimate news story, for instance, the attackers infect their targets and then unknowingly send the victim's files back to the command-and-control servers (C&C), which in this instance, are multiple cloud accounts with Once the malware has established its connection with a cloud account, it also checks configured subfolders for updates, and if some exist, they will be downloaded, decrypted and used, according to the white paper.

This methodology adds to the mystery surrounding the perpetrators.

“(Using the cloud) requires deeper inspection,” said Grange. “It doesn't point directly at them. It points to Google Drive (for instance), and there's no way of saying who's at the other end of that. It's another way to protect their identity as well.”

Each night, Grange said, the attackers communicate with the infected devices and task them to do something new. Encrypted data goes back and forth, but what is being said remains unclear.

Plus, connections are routed through multiple home routers that the group has compromised. Many are located in South Korea, but considering how many bread crumbs have been left scattered behind, that doesn't mean much.

Although the group initially started out with phishing emails, they've now taken to targeted text messages to infect mobile devices.

Once infected, a victim's phone can be used to record conversations on Android phones, in addition to collecting location data, contacts, and account data. They've also created malware for iOS and BlackBerry. Every victim's conversations and day-to-day workings can be observed.

At least 100 different places have been compromised, said Grange, and the attackers have likely compromised more or have backed out of their systems.

Piecing together all the clues, both Blue Coat and Kaspersky Labs have made a possible connection to Red October, a massive espionage operation that infected hundreds of victims in multiple countries, including Russia. The group shut down its operations after Kaspersky outed it, but 'Inception' could mark its return.

Even keeping the similarities between the groups in mind, Blue Coat researchers noted that Inception's code is fully rewritten and the coding style is different, making it hard to believe the same programmers would be involved in both operations. However, though, not enough is known to come to any concrete conclusions.

“The amount of red herrings that exist show that they've given some thought and know somebody will eventually see this,” Grange said. “They've put a lot of steps in here to throw off researchers, which is something, typically, that hasn't been done. It's also an eye opener for researchers; every bread crumb or hint we find in malware needs to be scrutinized.”

Grange then asked:  “Is this a legitimate hint or just a red herring?”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.