Kaspersky Lab Experts just released a report about a Massive espionage malware targeting governments around the world, including 12 African countries affected. The most affected country in Africa us Uganda. Here’s a link to the full paper (part 1) about our Red October research.
According to the report the large scale cyber-espionage campaign was active since 2007 and is still active at the time of writing (January 2013). The main purpose of the campaign is to gather classified information and geopolitical intelligence.
It’s targeted to affect international diplomatic service agencies, or governments computers. The most affected countries are in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.
Kaspersky experts were not able to identify the people or organizations responsible for the project.
Within the last three years three espionage malware targeting governments been discovered. First, “Stuxnet”, which targeted Iran. Then “Flame”, which targeted Middle Eastern countries in general. And “Red October”, which has a massive global reach.
The main activities or tasks of the malware on affected computers and networks as reported by the Kasperky report are:
Examples of “persistent” tasks
- – Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser
- – Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history
- – Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component
- – Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
- – Record all the keystrokes, make screenshots
- – Execute additional encrypted modules according to a pre-defined schedule
- – Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials
Examples of “one-time” tasks
- – Collect general software and hardware environment information
- – Collect filesystem and network share information, build directory listings, search and retrieve files by mask provided by the C&C server
- – Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives
- – Extract browsing history from Chrome, Firefox, Internet Explorer, Opera
- – Extract saved passwords for Web sites, FTP servers, mail and IM accounts
- – Extract Windows account hashes, most likely for offline cracking
- – Extract Outlook account information
- – Determine the external IP address of the infected machine
- – Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials
- – Write and/or execute arbitrary code provided within the task
- – Perform a network scan, dump configuration data from Cisco devices if available
- – Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability
- – Replicate via network using previously obtained administrative credentials
The digital attack and colonization of digitally weak countries have just begun.