dChan
Anonymous ID: d6f138 Oct. 4, 2018, 12:42 p.m. No.3332267   🗄️.is 🔗kun   >>2299 >>2369 >>2808

>>3332016 l.b.

>Red October (malware)

>Later, a webpage was found that exploited a known vulnerability in the Java browser plugin.

D5?

 

https://github.com/CrowdStrike/chopshop/blob/master/docs/module_docs/webshell_chopper_decode.rst

>The Chopper Web shell communicates over TCP using HTTP POST requests. Network traffic analysis of Chopper packets can reveal the commands and files sent during an attacker's session.

>>>/patriotsfight/331

Anonymous ID: d6f138 Oct. 4, 2018, 12:43 p.m. No.3332299   🗄️.is 🔗kun   >>2808

>>3332267

>https://en.wikipedia.org/wiki/Red_October_(malware)

The malware was reportedly operating worldwide for up to five years prior to discovery, transmitting information ranging from diplomatic secrets to personal information, including from mobile devices.

 

The primary vectors used to install the malware were emails containing attached documents that exploited vulnerabilities in Microsoft Word and Excel.

Anonymous ID: d6f138 Oct. 4, 2018, 1:12 p.m. No.3332753   🗄️.is 🔗kun

>>3332369

>>3332464

>>3332460

Good article.

>https://www.darkreading.com/attacks-breaches/red-october-attacks-the-new-face-of-cyberespionage/d/d-id/1138972

(excerpt)

But Dmitri Alperovitch, CTO at CrowdStrike, says the attacks have all the earmarks of a nation-state sponsored initiative. "It seemed very clear that it's a nation-state sponsored operation," Alperovitch says.

 

With the malware that hasn't been seen before in other cybercrime operations, contractors could be doing the work on behalf of the nation-state actors, he notes. He says it's unlikely a Chinese operation. Even so, attribution is difficult, as always. "It's hard to say: It could be Russia or other Russian-speaking countries, [including] the Ukraine or [Bellarus]. I doubt it's China," he says.

 

Red October doesn't appear to be a single campaign, but, rather, a series of campaigns that may have been launched at various times and targets since 2007. Kaspersky has sinkholed more than 60 domains being used by the malware, and found victims in 39 different countries. Around 250 different IP addresses connected to the sinkhole, which it ran from last Nov. 2 to Jan. 10 of this year. Most of the IPs were from Switzerland, Kazakhstan, and Greece.

 

"I don't think it was one operator or campaign like Aurora" and other similar APTs, Alperovitch says. "What you are dealing with here is a toolkit framework connected to a number of campaigns over a five- to six-year period.

 

"It's clear that significant effort went into this tool over time, so it makes sense it was used for more than one operation," he says.