The researchers who discovered a five-year-long espionage operation have released new details, a move that may assist organizations in countering similar threats in the future.
On Monday, Kaspersky Lab, the security firm that uncovered the spy op "Red October," and research partner AlienVault published a white paper designed for computer emergency response teams and system administrators.
The paper reveals the most commonly used names of the executable file (svchost.exe and svclogon.exe) dropped by Rocra, the trojan used in the campaign. The file names to which Rocra writes its executables are also included, as well as IP addresses and domain names used in the attacks.
As well, the report included the RC4 encryption keys for the main backdoor module and a list of passwords and Simple Network Management Protocol (SNMP) names used to attack network devices. Patches for the vulnerabilities that were exploited by Rocra were published, along with an Open Indicators of Compromise (IOC) file used to share threat information among organizations.
Alexandria, Va.-based security firm Mandiant created the OpenIOC system to help companies determine and identify attackers' methodologies and signs of compromise, according to openioc.org.
Rocra was delivered to victims by way of spear phishing attacks – in this case, emails sent to specific individuals in organizations, usually with attached Microsoft Word or Excel files containing Rocra. The malware exploited three now-patched vulnerabilities in the programs: CVE-2009-3129 in Excel, and CVE-2010-3333 and CVE-2012-0158 in Word.
Hundreds throughout organizations in 39 countries, primarily in Russia, have been infected with Rocra. Individuals across several fields and industries were targeted, specifically those working for government bodies and embassies, research institutions, trade and commerce groups, nuclear and energy research facilities, oil-and-gas companies, and aerospace and defense firms. Named after the submarine in Tom Clancy's novel The Hunt for Red October, the campaign deploys malware to steal sensitive information, including files encrypted by Acid Cryptofiler, classified software used to safeguard confidential data maintained by such organizations as the European Union, the North Atlantic Treaty Organization (NATO) and European Parliament.
Jaime Blasco, the labs manager at AlienVault and one of the authors of the white paper, told SCMagazine.com on Monday that Red October attackers began to shut down domain names and IP addresses associated with the command-and-control infrastructure as early as last Tuesday – the day after Kaspersky's findings about the campaign were released.
“Most of the domain names, up to 60, have been taken down, and some of the proxy servers they were using to hide the real [command-and-control] server,” Blasco said. “They were using a complex infrastructure in order to relay communications between the different servers, [which] they've been using between three and five years.”
Researchers believe a Russian-speaking group may have been behind the cyber espionage campaign, though it's unknown if it was the work of a nation-state or a group aiming to sell the information.