Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

‘Operation Red October’ Used Java Exploit as Added Attack Weapon

On Monday, Kaspersky Lab uncovered details of a complex cyber espionage campaign dubbed ‘Operation Red October’ that has been targeting specific groups throughout the world for over five years.

On Monday, Kaspersky Lab uncovered details of a complex cyber espionage campaign dubbed ‘Operation Red October’ that has been targeting specific groups throughout the world for over five years.

The sophisticated campaign targeted computer networks of various international diplomatic service agencies throughout the world using malware that not only targeted PCs, but also smartphones including iPhones and Windows Mobile devices.

Red October Attacks

The attackers behind Operation Red October used custom-made malware framework with a modular architecture made up of malicious extensions, information-stealing modules and backdoor Trojans.

According to Kaspersky’s research released on Monday, the samples they analyzed were using exploits for vulnerabilities in Microsoft Word and Microsoft Excel that were created by other attackers, and delivered via spearphishing emails.

On Tuesday, Seculert, a Petach-Tikva, Israel-based malware threat detection company, discovered another attack vector that was used as part of the espionage campaign: Java.

In their analysis, Seculert researchers discovered a special folder that they say was used by the attackers as an additional attack vector.

“In this vector, the attackers sent an email with an embedded link to a specially crafted PHP web page. This webpage exploited a vulnerability in Java (CVE-2011-3544), and in the background downloaded and executed the malware automatically,” the firm wrote in a blog post.

Advertisement. Scroll to continue reading.

According to Seculert, the JAR file of the Java exploit was compiled in February 2012, even though that vulnerability was patched in October 2011.

The same vulnerability was targeted by the Blackhole exploit kit back in December 2011, again, after Oracle had already issued a patch. Additionally, the infamous Mac OS X-based Flashback botnet targeted CVE-2011-354 for a period of time last year. 

“While the attack using Java occurred around February 2012, sometime between then and now attackers have moved from using PHP as their server side scripting engine, to CGI,” Seculert said.

Analysis of the server side source code of the exploit showed that the malware payload URL is encoded before being passed to the Java applet. “When the client is exploited, the URL gets decoded and the malware gets downloaded. In addition, the code also logs all the victims visit information to a log file,” Seculert explained.

Seculert researchers also discovered that the attackers have added a fingerprint at the end of the malware executable and assigns a unique identifier for each of the targeted victims. “This is the same unique identifier which is used by the malware later on while communicating with the C2 servers,” the firm said.

Seculert also found that the Java exploit attack vector included a “news theme” — with “We Can Find All News!” in a page title, through the Java JAR and class name and all the way to the malware payload URL.

While Seculert did reference that Flame also included a news theme, with its “NewsForYou” server side control handler, Kaspersky Lab has stated that so far no evidence has turned up indicating any connection between Red October and the Flame, Duqu or Gauss attacks.

The attack campaign – also going by the name of ‘Rocra’ (short for Red October) is still active with data being sent to multiple C&C servers that Kaspersky Lab says rivals the infrastructure of the Flame malware in terms of complexity.

“This campaign personifies the steal everything mantra,” Roel Schouwenberg, senior researcher, Kaspersky Lab, told SecurityWeek on Monday. “Next to the more standard things it’s after files encrypted by classified software used by the European Parliament and NATO. It’s also able to siphon the data off of smart phones, Cisco routers and SIP phones. On the operations side the C&C infrastructure is huge, spanning sixty domains and numerous servers.”

Other exploits used by the attackers targeted least three different vulnerabilities, including: CVE-2009-3129 (Microsoft Excel), CVE-2010-3333 (Microsoft Word) and CVE-2012-0158 (Microsoft Word). Early attacks using the exploit CVE-2009-3129 started in 2010, while attacks targeting the Microsoft Word vulnerabilities appeared in the summer of 2012, Kaspersky said.

Additional research on ‘Operation Red October” is expected to be released by Kaspersky Lab in the next few days.

Related: Endless Exploit Attempts Underline Importance of Timely Java Patching

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.