Red October cyber-espionage malware uses MS Office exploits (Jan 18, 2013)


The Dell Sonicwall Threats research team received reports of malware that has targeted international diplomatic service agencies. The malware named Red October is part of a large scale cyber-espionage network that has been in existence since 2007. It is designed to steal sensitive information from infected systems. The malware uses GAV: CVE-2012-0158 (Exploit) and GAV: CVE-2010-3333 (Exploit) that exploit known vulnerabilities in unpatched versions of Microsoft Word and Excel. There have also been reports of the malware using Java vulnerabilities: GAV: CVE-2011-3544 (Exploit). It is reported that the Trojan is spread via email and uses infected Word and Excel files.

Infection cycle:

The file containing the exploit may be a legitimate but infected Word or Excel file. In this case it was an Excel file:

After the exploit has run successfully it will cause Excel to display a spreadsheet containing fake corporate data in order to thwart suspicion:

The Trojan adds the following keys to the windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon Userinit “%WINDIR%system32userinit.exe,%PROGRAMFILES%Windows NTsvchost.exe”
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-6948-B838-A1A0-B0132CCF0BA1} @ “D74C3FB1”
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-7657-A727-BEBF-AF0C33D014BE} @ “C85320AE”

The Trojan adds the following files to the filesystem:

  • %PROGRAMFILES%Windows NTlhafd.gcp
  • %PROGRAMFILES%Windows NTsvchost.exe [Detected as GAV: Rocra.A (Trojan)]
  • %TEMP%msc.bat
  • %TEMP%Dsc.tmp [Detected as GAV: Kolab.ABVR (Worm)]

msc.bat contains the following post-infection clean up code:

      chcp 1251
      attrib -a -s -h -r "%TEMP%Dcs.tmp"
      del "%TEMP%Dcs.tmp"
      if exist "%TEMP%Dcs.tmp" goto Repeat
      del "%TEMP%msc.bat"

The chcp command suggests that the malware is Russian in origin. 1251 is the ANSI codepage for Cyrillic.

The Trojan was observed querying to verify internet connectivity:

The Trojan was observed using the CreateEvent API in order to be alerted of various system events:

The Trojan steals information from the following web browsers:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera

We observed the Trojan reading data from files written by Firefox that we had installed on the system:

It is widely reported that the Trojan contains the ability to update and add modules from a remote Command & Control server.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Exploit.CVE-2012-0158 (Exploit)
  • GAV: Exploit.CVE-2010-3333 (Exploit)
  • GAV: Exploit.CVE-2011-3544 (Exploit)
  • GAV: Kolab.ABVR (Worm)
  • GAV: Rocra.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.