Red October cyber-espionage malware uses MS Office exploits

January 18, 2013

The Dell Sonicwall Threats research team received reports of malware that has targeted international diplomatic service agencies. The malware named Red October is part of a large scale cyber-espionage network that has been in existence since 2007. It is designed to steal sensitive information from infected systems. The malware uses GAV: CVE-2012-0158 (Exploit) and GAV: CVE-2010-3333 (Exploit) that exploit known vulnerabilities in unpatched versions of Microsoft Word and Excel. There have also been reports of the malware using Java vulnerabilities: GAV: CVE-2011-3544 (Exploit). It is reported that the Trojan is spread via email and uses infected Word and Excel files.

Infection cycle:

The file containing the exploit may be a legitimate but infected Word or Excel file. In this case it was an Excel file:

After the exploit has run successfully it will cause Excel to display a spreadsheet containing fake corporate data in order to thwart suspicion:

The Trojan adds the following keys to the windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon Userinit "%WINDIR%system32userinit.exe,%PROGRAMFILES%Windows NTsvchost.exe"
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-6948-B838-A1A0-B0132CCF0BA1} @ "D74C3FB1"
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-7657-A727-BEBF-AF0C33D014BE} @ "C85320AE"

The Trojan adds the following files to the filesystem:

  • %PROGRAMFILES%Windows NTlhafd.gcp
  • %PROGRAMFILES%Windows NTsvchost.exe [Detected as GAV: Rocra.A (Trojan)]
  • %TEMP%msc.bat
  • %TEMP%Dsc.tmp [Detected as GAV: Kolab.ABVR (Worm)]

msc.bat contains the following post-infection clean up code:

      chcp 1251
      attrib -a -s -h -r "%TEMP%Dcs.tmp"
      del "%TEMP%Dcs.tmp"
      if exist "%TEMP%Dcs.tmp" goto Repeat
      del "%TEMP%msc.bat"

The chcp command suggests that the malware is Russian in origin. 1251 is the ANSI codepage for Cyrillic.

The Trojan was observed querying to verify internet connectivity:

The Trojan was observed using the CreateEvent API in order to be alerted of various system events:

The Trojan steals information from the following web browsers:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera

We observed the Trojan reading data from files written by Firefox that we had installed on the system:

It is widely reported that the Trojan contains the ability to update and add modules from a remote Command & Control server.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Exploit.CVE-2012-0158 (Exploit)
  • GAV: Exploit.CVE-2010-3333 (Exploit)
  • GAV: Exploit.CVE-2011-3544 (Exploit)
  • GAV: Kolab.ABVR (Worm)
  • GAV: Rocra.A (Trojan)