The Real Hunt for Red October

virusA Russian security company, Kaspersky Labs, detected and identified a new spyware dubbed, ‘Rocra’ meaning ‘Red October’.  The Red October (Rocra) campaign, was designed to steal—including encrypted files and from mobile devices—and has successfully infiltrated government, diplomatic and scientific agencies.

Rocra is a new kind of virus, that goes undetected for long periods of time and that predominantly target Government systems, worldwide.  Rocra reportedly has been escaping security detection since 5-yrs following its creation in 2007!  The target of Rocra are Government systems, any Government systems in any country.   Unlike malicious viruses that damage systems, Rocra operates using stealth to seek information, like a spy that can uncover any sensitive, useful or secret information instantly.

The typical channel Rocra spreads through is spear-phishing, e-mails that aim at select users inside government organizations.  The e-mails carry infected files, typically Microsoft Word or Excel documents containing 3-or-so separate exploits.  If the phishing attempt is successful, a Trojan infects the target computer and then it scans other PCs on the network to identify any other potential systems with the same software vulnerability.

Rocra also performs module installations, normally in the form of .dll libraries, on the target computer that enables the infected PC to receive and execute commands from the C&C servers.  Simultaneously any evidence of the infection is removed.  Kaspersky Labs explains, the malware classifies the tasks into ‘one-time’ and ‘persistent’ and this helps it to spy as well as steal through multiple methods.

Interestingly, there’s one resurrection module too from the malware that lets the latter remain hidden on a computer like it was erased.  Rocra includes a unique “resurrection” module that allows attackers to “resurrect” infected machines, after Rocra has seemingly been removed.  Meaning that when the malware got detected, it concealed itself.

Kaspersky Labs identified victims from 69 countries (see below) including the six infected machines in the United States.  rocraThe Russian security researchers reported that victims fall into eight categories: Government, Diplomatic / embassies, Research institutions, Trade and commerce, Nuclear / energy research, Oil and gas companies, Aerospace and Military.

And though the perpetrator of the campaign isn’t definitely known, clues point to Chinese hackers as the possible creators of the exploits, while the malicious software program seems as the creation of Russian-speaking folks.

kasperskyreport_161425305021_640x360

Leave a Reply