Organizations left in the path of “Rocra,” malware used in the campaign dubbed "Red October”, include those primarily in Eastern Europe, more specifically, former Soviet republics, though infections also have been scattered throughout Central Asia, North America and Western Europe, according to Kaspersky Lab, which discovered the campaign after an unnamed client requested the firm investigate a spear phishing attack.
Named after the submarine in Tom Clancy's novel The Hunt for Red October, the campaign deploys malware to steal sensitive information, including files encrypted by Acid Cryptofiler, classified software used to safeguard confidential data maintained by such organizations as the European Union, the North Atlantic Treaty Organization (NATO) and European Parliament.
Impacted endpoints include not only workstations, but mobile devices that become infected when users connect them to compromised machines. Kaspersky published a blog post Monday saying 35 organizations were compromised in Russia, 21 in Kazakhstan, and six in the United States.
Rocra makes its way to victims by way of targeted emails crafted for specific individuals within organizations. Attackers attached Microsoft Word or Excel files containing Rocra, which exploits three now-patched vulnerabilities in the programs, CVE-2009-3129 in Excel, CVE-2010-3333 and CVE-2012-0158 in Word.
The malware steals an extensive list of specific types of documents or files, including txt, docx, doc and, more notably, “acid” extensions that denote those created using Acid Cryptofiler software. Rocra is also capable of stealing data from removable disk drives – even files that have been deleted through a recovery process – and emails from Outlook storage and remote or local network servers.
Kaspersky researchers also found the malware was able to “resurrect” on machines where Rocra has been removed, as a module of the trojan is embedded in Adobe Reader and Microsoft Office plug-ins to send a phishing email to victims to start the infection process all over again.
Because of the registration information identified on command-and-control servers, researchers believe Red October attackers are a Russian-speaking group. Perpetrators have used a complex network of servers and more than 60 domain names to hide the whereabouts of their infrastructure.