Red October espionage platform begins shutting down after exposure on Monday

// January 21st, 2013 // Hacking and Security

Advertisements

image

The Operation Red October espionage campaign was exposed on Monday (1/14/13) by Russian anti-virus software maker Kaspersky Lab.  The Red October network was found to target hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation (the most frequent target), Iran, Kazakhstan, Azerbaijan, Belgium, India, Afghanistan, Armenia, Turkmenistan, and the United States. It uses more than 60 domain names with multiple layers of proxy servers (to camouflage its core operations) and automatically creates an extension for Adobe Reader and Microsoft Word that provides hackers with a “foolproof” way to regain control of a compromised machine should the malware payload ever be removed.   It was found that Red October has been running since 2007, presumably without discovery by governmental agencies.  The main purpose of the campaign is to gather classified information and geopolitical intelligence. According to Ars:

“It uses more than 1,000 distinct modules that have never been seen before to customize attack profiles for each victim. Among other things, components target individual PCs, networking equipment from Cisco Systems, and smartphones from Apple, Microsoft, and Nokia. The attack also features a network of command-and-control servers with a complexity that rivals that used by the Flame espionage malware that targeted Iran.”

It was reported that the malware builders spoke Russian but many of the exploits were developed originally by Chinese hackers.  Its origin in still unknown.  The malware was found to contain 1,000 separate modules, each with a specific function, in 30 module categories allowing for a unique, tailored combination of components to target specific machine configurations.  The modules were found to include functions to extract passwords, steal browser history, log keystrokes, take screenshots, identify and fingerprint Cisco routers and other equipment on the network, steal email from local Outlook storage or remote POP/IMAP servers, siphon documents from the computer and from local network FTP servers, steal files from USB devices attached to an infected machine, find and recover deleted files from the USB stick, steal contact lists, swipe SMS messages, retrieve call and browser history, grab calendar appointments, etc.  Infections typically come from spear-phishing attacks where the malware first installs a backdoor onto systems to establish a foothold and open a channel of communication to the command-and-control servers. From there, the attackers download any of a number of different modules to the machine, tailored to the system’s configuration.

The network’s command-and-control servers are set up in a chain, with three levels of proxies, to hide the location of the “mothership” and prevent investigators from tracing back to the final collection point. Somewhere within the network lies a “super server” that automatically processes all of the stolen documents, keystrokes and screenshots, organized per unique victim ID.  Kaspersky has yet to identify the main control server.

Kasperky labs provided a bit of detail on how the malware operated:

“Each infection is indexed by a unique ID that’s assigned to the compromised machine. The identifier helps to ensure that each attack is carefully tailored to the specific attributes of the victim. For example, the initial documents designed to lure in a potential victim are customized to make them more appealing. Every single module is specifically compiled for the victim with a unique victim ID inside. What’s more, when connecting to the control channel, backdoors identify themselves with a specific string that appears to be the victim’s unique ID. Presumably, this allows the attackers to distinguish between the multitudes of connections and perform specific operations for each victim individually.”

UPDATE 1/21/13

Advertisements

Five days after the announcement of its discovery, it was discovered that many of the domains and servers have begun shutting down.  According to Kasperky:

“It’s clear that the infrastructure is being shut down. Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation.”

The discovery of Red October opens yet another chapter in the just-begun era of highly advanced espionage malware that already included Duqu, Aurora, Night Dragon, Flame, and Gauss.

Technical details

As always, Kaspersky has released detailed information about the attack vector.  Below are the most important aspects of the attacks.

The loader, most common known path/names:

%PROGRAMFILES%\Windows NT\svchost.exe
%PROGRAMFILES%\Windows NT\svclogon.exe

Note: the malware dropper writes “svchost.exe” or “svclogon.exe” into the first available path from the list below. To correctly identify an infected system, Kaspersky recommends checking all of the paths listed below.

%ProgramFiles%\Windows NT\
%APPDATA%\Microsoft\
%ProgramFiles%\Windows NT\Accessories\
%ProgramFiles%\Windows NT\Pinball\
%ProgramFiles%\Windows Media Player\
%ProgramFiles%\Web Publish\
%ProgramFiles%\Outlook Express\
%ProgramFiles%\Microsoft Office\Office10\Data\
%ProgramFiles%\Microsoft Office\Office10\
%ProgramFiles%\Microsoft Frontpage\
%ProgramFiles%\Internet Explorer\
%ProgramFiles%\ComPlus Applications\
%ProgramFiles%\WindowsUpdate\
%CommonProgramFiles%\Microsoft Shared\MsInfo\
%CommonProgramFiles%\Microsoft Shared\Office10\
%CommonProgramFiles%\Proof\
%CommonProgramFiles%\Web Folders\
%CommonProgramFiles%\Web Server Extensions\
%CommonProgramFiles%\System\ado\
%CommonProgramFiles%\System\msadc\
%SystemDrive%\Documents and Settings\LocalService\Application
Data\Microsoft\
%SystemDrive%\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\
%ALLUSERSPROFILE%\Application Data\
%windir%\Installer\
%windir%\Help\Tours\mmTour\
%windir%\Help\Tours\htmTour\
%windir%\Help\Tours\WindowsMediaPlayer\
%windir%\IME\
%windir%\MsApps\
%windir%\MsApps\MsInfo\
%windir%\inf\
%ALLUSERSPROFILE%\Application Data\Microsoft\
%ALLUSERSPROFILE%\Application Data\Microsoft\Office\
%ALLUSERSPROFILE%\Application Data\Microsoft\Office\Data\
%ALLUSERSPROFILE%\Application Data\Microsoft\Windows\
%HOMEPATH%\Local Settings\
%APPDATA%\
%APPDATA%\Microsoft\Office\
%APPDATA%\Microsoft\Office\Data\
%APPDATA%\Microsoft\Windows\
%windir%\Temp\
%TMP%\
%TEMP%\

The main backdoor encrypted body, known filenames (same location on disk as “the loader”):

fsmgmtio32.msc
cfsyn.pcs
frpdhry.hry
ime64ex.ncs
io32.ocx
lhafd.gcp
lsc32i.cmp
ocxstate.dat
opdocx.gxt
sccme.hrp
scprd.hrd
syncls.gxk
lgdrke.swk
sdlvk.acx
wsdktr.ltp
synhfr.pkc
scpkrp.gmx
rfkscp.pck
qsdtlp.rcp

Here are some of the Command and Control servers used by the Red October malware:

bb-apps-world.com
blackberry-apps-world.com
blackberry-update.com
csrss-check-new.com
csrss-update-new.com
csrss-upgrade-new.com
dailyinfonews.net
dll-host.com
dll-host-check.com
dll-host-udate.com
dll-host-update.com
dllupdate.info
drivers-check.com
drivers-get.com
drivers-update-online.com
genuine-check.com
genuineservicecheck.com
genuineupdate.com
hotinfonews.com
microsoftcheck.com
microsoft-msdn.com
microsoftosupdate.com
mobile-update.com
msgenuine.net
msinfoonline.org
msonlinecheck.com
msonlineget.com
msonlineupdate.com
ms-software-check.com
ms-software-genuine.com
ms-software-update.com
new-driver-upgrade.com
nt-windows-check.com
nt-windows-online.com
nt-windows-update.com
osgenuine.com
os-microsoft-check.com
os-microsoft-update.com
security-mobile.com
shellupdate.com
svchost-check.com
svchost-online.com
svchost-update.com
update-genuine.com
win-check-update.com
windowscheckupdate.com
windows-genuine.com
windowsonlineupdate.com
win-driver-upgrade.com
wingenuine.com
wins-driver-check.com
wins-driver-update.com
wins-update.com
winupdateonline.com
winupdateos.com
world-mobile-congress.com
xponlineupdate.com

And here is a list of IP addresses that are commonly used in the attacks:

141.101.239.225
178.162.129.237
178.162.182.42
178.63.208.49
188.40.19.247
31.184.234.18
31.41.45.9
37.235.54.48
46.4.202.86
77.72.133.161
78.46.173.15
88.198.30.44
88.198.85.161
88.198.85.162
92.53.105.40
95.168.172.69
31.41.45.139
91.226.31.40
178.63.208.63
31.41.45.119
176.9.241.254
31.41.45.179
176.9.189.36
92.53.105.214
188.40.19.244
85.25.104.57

Kaspersky Lab has released a whitepaper with complete details on the attacks including Snort rules you can use to detect and analyze the network traffic coming from the malware.

image

Sources: CNN, Ars, Wired Magazine
Advertisements
Geek wear at Ivy and Pearl Boutique




« « Previous Article: Original Batmobile sold at auction for $4.6 million to a Batman fan     » » Next Article: Terminally ill 23-year-old man dies after Reddit-backed around-the-world trip


Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: