Why Red October malware is the Swiss Army knife of espionage
With more than 1,000 separate components, attack seals the age of super malware.
The Red October malware that infected hundreds of computer networks in diplomatic, governmental, and scientific research organizations around the world was one of the most advanced espionage platforms ever discovered, researchers with antivirus provider Kaspersky Lab have concluded.
Its operators had more than 1,000 modules at their disposal, allowing them to craft highly advanced infections that were tailored to the unique configurations of infected machines and the profiles of those who used them. Most of the tasks the components carried out—including extracting e-mail passwords and cryptographically hashed account credentials, downloading files from available FTP servers, and collecting browsing history from Chrome, Firefox, Internet Explorer, and Opera—were one-time events. They relied on dynamic link library code that was received from an attacker server, executed in memory, and then immediately discarded. That plan of attack helps explain why the malware remained undetected by antivirus programs for more than five years.
The malware was also capable of using more traditional Windows EXE files to carry out persistent tasks when necessary. One example was modules that waited for an iPhone, Nokia smartphone, or USB drive to be connected to an infected computer. There were also extensions for the Microsoft Word and Adobe Reader programs that watched for specially crafted documents. When they arrived in e-mail, the modules immediately reinstalled the main malware component, ensuring attackers could regain control of a machine in the event that it had been partially disinfected.
https://arstechnica.com/information-technology/2013/01/why-red-october-malware-is-the-swiss-army-knife-of-espionage/
“Red October” – Part Two, the Modules
on January 17, 2013. 7:41 pm
Earlier this week, we published our report on “Red October”, a high-level cyber-espionage campaign that during the past five years has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations.
In part one, we covered the most important parts of the campaign: the anatomy of the attack, a timeline of the attacker’s operation, the geographical distribution of the victims, sinkhole information and presented a high level overview of the C&C infrastructure.
Today we are publishing part two of our research, which comprises over 140 pages of technical analysis of the modules used in the operation.
When analyzing targeted attacks, sometimes researchers focus on the superficial system infection and how that occurred. Sometimes, that is sufficient, but in the case of Kaspersky Lab, we have higher standards. This is why our philosophy is that it’s important to analyze not just the infection, but to answer three very important questions:
What happens to the victim after they’re infected?
What information is being stolen?
Why is “Red October” such a big deal compared to other campaigns like Aurora or Night Dragon?
https://securelist.com/red-october-part-two-the-modules/57645/