Virus Red October . Its main objective is to create a sophisticated spy network aimed at stealing information from diplomatic headquarters and state agencies. In general steal information:
- Diplomat
- Commercial
- Nuclear power development.
- From oil and gas companies
- Aerospace
- Military
Summary
[ hide ]
- 1 How to know if a PC is infected?
- 2 Creators
- 3 Infecting victims
- 4 Victims and organizations affected
- 5 How to remove
- 6 Sources
How to know if a PC is infected?
The infected computers contain the svchost.exe file, with hidden and read-only attributes, located in the folder:% ProgramFiles% \ WINDOWS NT \ SVCHOST.EXE
Creators
Developed by the Red October Advanced Cyber Espionage Network. The attackers have been active since at least 2007and they have targeted diplomatic and government agencies in various countries around the world, but have also affected research institutions, energy and nuclear groups, commercial companies, and aerospace agencies. The Red October attackers designed their own malware, identified as “Rocra”, with a peculiar modular architecture consisting of malicious extensions, information stealing modules and Trojan-backdoors. Attackers often used leaked information from attacked networks as a way to gain access to other systems. For example, stolen credentials were put on a list that attackers used to guess passwords to access additional systems. To monitor the network of infected computers, the attackers created more than 60 domain names and several hosting servers in different countries, most of them in Germany and Russia. Kaspersky Lab’s analysis of the infrastructure management center (C2) shows that the server chain functioned as proxies, hiding the actual location of the central “mother” server.
Information stolen from infected systems includes documents with the extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt , cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the “acid *” extensions appear to belong to the classified “Acid Cryptofiler” software, used by various entities ranging from the European Union to NATO.
Infecting victims
To infect systems, attackers send the victim a “spear-phishing” message that includes a Trojan dropper tailored to the recipient. To install the malware and infect the system, the malicious message includes exploits for Microsoft Office and Microsoft Excel vulnerabilities. The exploits in the documents used in the spear-phishing messages were created by other attackers and used during various cyberattacks, including those launched against Tibetan activists and other military and energy sector targets in Asia. The only modification introduced in the document used by Rocra is the embedded executable, which the attackers replaced with their own code. It is worth noting that one of the instructions in the Trojan dropper changed the default code page number of the command input session to 1251, which is required for using Cyrillic fonts.
Victims and organizations affected
Kaspersky Lab experts used two methods to analyze the victims of the attack. First, they used the detection statistics of Kaspersky Security Network (KSN), which is the security service “in the cloud” that Kaspersky Lab products use to make telemetry reports and provide advanced protection in the form of blacklists. and heuristic rules against all types of threats. KSN has been detecting the exploit code used in malware since 2011, allowing Kaspersky Lab experts to search for detections similar to Rocra’s. The second method used by the Kaspersky Lab research team was to create a sinkhole server to monitor the infected computers connecting to Rocra’s C2 management servers.
How to eliminate
It is removed with Kaspersky Lab Antivirus, Segurmatica Antivirus detects and decontaminates it, (both identify it as w32.Sputnik),