From Charlie Osbourne, ZDNet: Kaspersky Labs has discovered yet another worldwide spying campaign that targets governmental bodies, political groups and research institutions.
On par with the memorable Flame malware, Kaspersky and a number of Cyber Emergency Response Teams (CERTs) discovered the malware — known as Rocra or Red October — which mostly targets institutions based in Eastern Europe, former USSR members and countries in Central Asia.
Kaspersky says that Red October has been gathering data and intelligence from "mobile devices, computer systems and network equipment" and is currently still active. Data is gathered and sent to multiple command-and-control servers which the security firm says rivals the complex nature of Flame.
The malware is sent via a spear-phishing email which, according to the firm, targets carefully-selected victims with an organisation. Containing at least three different exploits in Microsoft Excel and Word, the infected files, once downloaded, drops a trojan on to the machine which then scans the local network to detect if any other devices are vulnerable to the same security flaw. . . .
Designed to steal encrypted files and even those that have been deleted from a victim’s computer, the malware — named as a hat-tip to the novel "The Hunt For The Red October" — has several key features which suggests it may be state-sponsored, although there is no official word on this yet.
Among the features, there is a "resurrection module" within the malware which keeps the infection hidden, disguised as a plugin for a program such as Microsoft Office, which can then reincarnate the infection after removal.
In addition, Red October does not simply focus on standard machines, but is also able to infect and steal data from mobile devices, hijacking information from external storage drives, accessing FTP servers and thieving information from email databases. . . .
Kaspersky believes that the cyberattackers have been active for a minimum of five years, based on domain name registration dates and PE timestamps, and the firm "strongly believes" that the origins of the malware are Russian.
From AFP: Red October, which has been active since at least 2007, appears to collect files encrypted with software used by several entities from the European Union to NATO, it added. . . .
In addition to diplomatic and governmental agencies of various countries across the world, Red October also targeted research institutions, energy and nuclear groups, and trade and aerospace targets, added Kaspersky Lab. (graphic: Kaspersky Lab)