"Red October" - An Advanced Cyber Espionage Network Targeting Diplοmatic & Govt

  • This one seems almost out of a Hollywood movie …

    Full article: http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies

    The "Red October" Campaign - An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies

    During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.


    Examples of "persistent" tasks

    • Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser
      Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history
      Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component
      Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
      Record all the keystrokes, make screenshots
      Execute additional encrypted modules according to a pre-defined schedule
      Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials

    Examples of "one-time" tasks

    • Collect general software and hardware environment information
      Collect filesystem and network share information, build directory listings, search and retrieve files by mask provided by the C&C server
      Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives
      Extract browsing history from Chrome, Firefox, Internet Explorer, Opera
      Extract saved passwords for Web sites, FTP servers, mail and IM accounts
      Extract Windows account hashes, most likely for offline cracking
      Extract Outlook account information
      Determine the external IP address of the infected machine
      Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials
      Write and/or execute arbitrary code provided within the task
      Perform a network scan, dump configuration data from Cisco devices if available
      Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability
      Replicate via network using previously obtained administrative credentials