English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

"Red October" - part two, the modules

GReAT
Kaspersky Lab Expert
Posted January 17, 14:21  GMT
Tags: Mobile Malware, Microsoft Windows, Malware Descriptions, Campaigns, Targeted Attacks, Microsoft, Spearphishing
0.9
 

Earlier this week, we published our report on “Red October”, a high-level cyber-espionage campaign that during the past five years has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations.

In part one, we covered the most important parts of the campaign: the anatomy of the attack, a timeline of the attacker’s operation, the geographical distribution of the victims, sinkhole information and presented a high level overview of the C&C infrastructure.

Today we are publishing part two of our research, which comprises over 140 pages of technical analysis of the modules used in the operation.

When analyzing targeted attacks, sometimes researchers focus on the superficial system infection and how that occurred. Sometimes, that is sufficient, but in the case of Kaspersky Lab, we have higher standards. This is why our philosophy is that it’s important to analyze not just the infection, but to answer three very important questions:

  • What happens to the victim after they’re infected?
  • What information is being stolen?
  • Why is “Red October” such a big deal compared to other campaigns like Aurora or Night Dragon?
  • According to our knowledge, never before in the history of ITSec has an cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration. In most cases, the analysis is compromised by the lack of access to the victim’s data; the researchers see only some of the modules and do not understand the full purpose of the attack or what was stolen.

    To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months. This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack.

    The research that we are publishing today is perhaps the biggest malware research paper ever. It is certainly the most complex malware research effort in the history of our company and we hope that it sets new standards for what anti-virus and anti-malware research means today.

    Because of its size, we've split "part 2" in several pieces, to make reading easier:

    First stage of attack

    1. Exploits
    2. Dropper
    3. Loader Module
    4. Main component

    Second stage of attack

    1. Modules, general overview
    2. Recon group
    3. Password group
    4. Email group
    5. USB drive group
    6. Keyboard group
    7. Persistence group
    8. Spreading group
    9. Mobile group
    10. Exfiltration group


    Comments

    If you would like to comment on this article you must first
    login


    Bookmark and Share
    Share

    Related Links

    Analysis

    Blog

    Alerts