Has Red October APT Gang Resurfaced?

Zero-Day Attacks Target Financial, Oil, Government Sectors
Has Red October APT Gang Resurfaced?

The so-called Red October advanced persistent threat gang may have emerged from hiding.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Two research firms released new reports Dec. 10 documenting an ongoing series of APT attacks that have been targeting financial services firms, petroleum production companies, engineering firms and embassies - primarily in Eastern Europe - using malware that has been designed to exploit at least one zero-day vulnerability.

Whoever has been launching the attacks, which were first discovered in August 2014, has gone to almost "paranoid" extremes to hide their tracks, according to security firm Blue Coat, which has dubbed the campaign Inception, after the 2010 science fiction heist film about sophisticated criminals who steal secrets from people's subconscious.

But anti-virus firm Kaspersky Lab, which has released a related report into what it's calling the "Cloud Atlas" campaign - in reference to where the attackers' infrastructure is based - says there are numerous similarities between these recent attacks and the Red October campaign that it discovered in October 2012, including identical command-and-control server algorithms, and very similar development environments and targets. "Just like with Red October, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan," the Kaspersky Lab global research and analysis team report says. "Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years."

Kaspersky Lab didn't immediately respond to a query about what changes in particular it was discussing.

Regardless, the anti-virus firm says it believes that these new attacks have been launched by the same group that was behind the Red October APT attacks, which it first detailed publicly in January 2013, after which the attacks quickly stopped. At the time, Kaspersky Lab said the attackers appeared to be Russian speakers, although they sometimes used Chinese-made tools.

While Blue Coat's report says it also sees similarities between the recent attacks and Red October, it also warns that this might be an intentional red herring designed to fool researchers.

Phishing Attacks

Regardless of whether the old and new APT campaigns are linked, the two research firms agree on the attackers' modus operandi: Attacks typically begin with phishing e-mails, with Trojanized Word documents attached, say Blue Coat researchers Snorre Fagerland and Waylon Grange, who wrote that firm's report. They note attackers have also been deploying malware that can infect Android, BlackBerry and iOS devices, record conversations and send them to attackers.

Blue Coat says it's recovered Inception-related phishing e-mails that have targeted organizations that it's declined to name. Those include at least one financial services firm in Russia; oil-related organizations based in Paraguay, Romania and Turkey; and embassies or diplomatic-related agencies in Paraguay, Romania and Turkey.

To date, the attack infrastructure has been hosted using CloudMe, a Swedish cloud storage service, both research firms say. "The CloudMe service is not actively spreading the malicious content; the attackers are only using it for storing their files," Blue Coat says, noting that the service has provided extensive research - including log data - related to the attackers.

The attackers appear to be using the cloud-based service not just to store their attack files, but also to organize attacks against each target, Kaspersky Lab reports. "Each malware set we have observed so far communicates with a different CloudMe account," it says. "The attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism."

CloudMe reports that "tens of thousands" of attack accounts have been discovered, and that it is actively deleting the APT accounts. "We are permanently deleting all accounts that we can identify as involved in the #inception #cloudatlas #apt #surveillance."

Both Blue Coat and Kaspersky Lab say the malware could be easily rewritten to work with any cloud-based service.

Malware Embedded in RTF Documents

Blue Coat says that all phishing attacks that have been traced to the Inception campaign involve malware being embedded in Rich Text Format - or RTF - files, which then get embedded in Microsoft Word documents and e-mailed to targets. If the target opens the file, the malicious code then attempts to write itself to disk, using a randomized name to avoid detection, Blue Coat says.

Both security firms report that attackers have been relying on two Microsoft Office RTF vulnerabilities - CVE-2012-0158 and CVE-2014-1761. The first was patched in 2012, while the latter was discovered this past March, after being spotted via in-the-wild attacks, and patched in April.

Blue Coat says the malware collects information from the infected system - including Windows version, computer name, username, running processes, system and drive names - and "phones home" to a CloudMe account, sending data in encrypted form via WebDAV, which is a file protocol designed to facilitate collaborating on - and managing - online documents. "This hides the identity of the attacker and may bypass many current detection mechanisms," Blue Coat says. It adds that the malware can also receive modules that give it additional capabilities, but these modules typically run in memory and disappear when the PC is rebooted, apparently to make them more difficult to spot.

Clues, or False Flags?

The attackers' tactics - and technologies - appear designed for maximum obfuscation. "The operational security exhibited by the attackers is among the most advanced that Blue Coat has witnessed," the firm says in its report. "Most interaction between attackers and their infrastructure is performed via a convoluted network of router proxies and rented hosts, most likely compromised because of poor configurations or default credentials."

Attempts to attribute the attacks to a specific gang or nation state are "exceedingly difficult," Blue Coat says, because the attackers appear to have purposefully left at least some clues that are designed to confuse related investigations. These potential red herrings include:

  • The malware drops components previously seen used in China-backed APT attacks;
  • Attacks have been routed via numerous hacked home routers in South Korea;
  • The Android malware includes Hindi comments, pointing to Indian involvement, but there are Arabic text strings in the group's BlackBerry malware;
  • The Word phishing documents have similarities to documents used by the "Red October" APT gang, which some security experts suspect was backed by Russia or the Ukraine.

More To Come?

Whoever is behind the APT campaign, researchers say that follow-on attacks remain likely. "The comprehensive infrastructure suggests that this is a large campaign, of which we've only seen the beginning," the Blue Coat researchers say. "While the majority of the targets seem to be located in Russia or related to Russian interests, there are verified targets in countries all over the world, and the attack could potentially expand globally."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.