Security Experts:

'Operation Red October' Used Java Exploit as Added Attack Weapon

On Monday, Kaspersky Lab uncovered details of a complex cyber espionage campaign dubbed 'Operation Red October' that has been targeting specific groups throughout the world for over five years.

The sophisticated campaign targeted computer networks of various international diplomatic service agencies throughout the world using malware that not only targeted PCs, but also smartphones including iPhones and Windows Mobile devices.

Red October Attacks

The attackers behind Operation Red October used custom-made malware framework with a modular architecture made up of malicious extensions, information-stealing modules and backdoor Trojans.

According to Kaspersky’s research released on Monday, the samples they analyzed were using exploits for vulnerabilities in Microsoft Word and Microsoft Excel that were created by other attackers, and delivered via spearphishing emails.

On Tuesday, Seculert, a Petach-Tikva, Israel-based malware threat detection company, discovered another attack vector that was used as part of the espionage campaign: Java.

In their analysis, Seculert researchers discovered a special folder that they say was used by the attackers as an additional attack vector.

“In this vector, the attackers sent an email with an embedded link to a specially crafted PHP web page. This webpage exploited a vulnerability in Java (CVE-2011-3544), and in the background downloaded and executed the malware automatically,” the firm wrote in a blog post.

According to Seculert, the JAR file of the Java exploit was compiled in February 2012, even though that vulnerability was patched in October 2011.

The same vulnerability was targeted by the Blackhole exploit kit back in December 2011, again, after Oracle had already issued a patch. Additionally, the infamous Mac OS X-based Flashback botnet targeted CVE-2011-354 for a period of time last year. 

“While the attack using Java occurred around February 2012, sometime between then and now attackers have moved from using PHP as their server side scripting engine, to CGI,” Seculert said.

Analysis of the server side source code of the exploit showed that the malware payload URL is encoded before being passed to the Java applet. "When the client is exploited, the URL gets decoded and the malware gets downloaded. In addition, the code also logs all the victims visit information to a log file," Seculert explained.

Seculert researchers also discovered that the attackers have added a fingerprint at the end of the malware executable and assigns a unique identifier for each of the targeted victims. “This is the same unique identifier which is used by the malware later on while communicating with the C2 servers,” the firm said.

Seculert also found that the Java exploit attack vector included a "news theme" -- with "We Can Find All News!" in a page title, through the Java JAR and class name and all the way to the malware payload URL.

While Seculert did reference that Flame also included a news theme, with its "NewsForYou" server side control handler, Kaspersky Lab has stated that so far no evidence has turned up indicating any connection between Red October and the Flame, Duqu or Gauss attacks.

The attack campaign - also going by the name of 'Rocra' (short for Red October) is still active with data being sent to multiple C&C servers that Kaspersky Lab says rivals the infrastructure of the Flame malware in terms of complexity.

"This campaign personifies the steal everything mantra," Roel Schouwenberg, senior researcher, Kaspersky Lab, told SecurityWeek on Monday. "Next to the more standard things it's after files encrypted by classified software used by the European Parliament and NATO. It's also able to siphon the data off of smart phones, Cisco routers and SIP phones. On the operations side the C&C infrastructure is huge, spanning sixty domains and numerous servers."

Other exploits used by the attackers targeted least three different vulnerabilities, including: CVE-2009-3129 (Microsoft Excel), CVE-2010-3333 (Microsoft Word) and CVE-2012-0158 (Microsoft Word). Early attacks using the exploit CVE-2009-3129 started in 2010, while attacks targeting the Microsoft Word vulnerabilities appeared in the summer of 2012, Kaspersky said.

Additional research on ‘Operation Red October” is expected to be released by Kaspersky Lab in the next few days.

Related: Endless Exploit Attempts Underline Importance of Timely Java Patching