“Red October” in the title of Tom Clancy’s bestselling novel referred to a Soviet submarine whose silent propulsion system made it undetectable to sonar. It’s a fitting name for the sophisticated cyber-espionage network that has recently been identified after collecting high-level data from governments, embassies and diplomatic networks, energy companies, and other sensitive systems for at least five years.
Red October began as a series of spear phishing attacks with highly personalized emails meant for specific targets. The spear phishing emails included malicious attachments in the form of Microsoft Office files. Once the Office files were opened by the spear phishing targets, a malicious executable would be dropped on the victim machine and another embedded Office file would be opened. The embedded Office file was opened only to provide the victim with the false impression that nothing had happened the malicious attachment was opened. Java was also found to be a vector of attack used in the spear phishing campaign. To use Java, the Red October attackers sent a spear phish email containing a malicious link. The malicious link would then be opened by the victim and would load a malicious Java applet to infect the victim machine.
Here’s what happens with an email:
• The unsuspecting user receives an email with an attached Office file and opens the file.
• The exploit drops and launches two files: a clean Word or Excel file and a malicious .EXE.
• Word or Excel then crashes and exits while the malicious .EXE launches along with the clean document, so the user sees nothing amiss, as shown in these examples:
All known related C&C IPs and domains associated with the Red October attack are classified as “Bot Networks”. ThreatScope helps protect Websense customers by identifying all of the embedded files as Malicious, as shown in the following reports:
The following CVE are reported to have been used as part of the Red October spear phishing attacks:
This, just as many other targeted attacks, takes advantage of a target victim's interests. The social engineering aspect of targeted attacks is what makes them so successful so we must all remain vigilant when opening emails with attachment or links, especially if they are unsolicited emails.
Websense customers are protected by Websense ACE (Advanced Classification Engine), and we will continue to monitor this and other evolving security threats.
Leave a reply