An advanced cyber-espionage network targeting high-profile organizations and governments has recently been unveiled. The main attack method being used in this campaign is spear phishing.
The spear phishing emails contain Word document or Excel spreadsheet attachments that exploit three known vulnerabilities in order to compromise computers. The vulnerabilities used are:
- Microsoft Excel 'FEATHEADER' Record Remote Code Execution Vulnerability (CVE-2009-3129) – MS Excel, detected as Bloodhound.Exploit.306
- Microsoft Office RTF File Stack Buffer Overflow Vulnerability (CVE-2010-3333) – MS Word, detected as Bloodhound.Exploit.366
- Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) – MS Word, detected as Bloodhound.Exploit.457
Another attack method exploits the Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability (CVE-2011-3544) and is detected as the following:
This exploit is also blocked by our Intrusion Prevention Signatures:
- Web Attack: Oracle Java Rhino Script Engine CVE-2011-3544
- Web Attack: Oracle Java Rhino Script Engine CVE-2011-3544 3
Initially, samples of this malware were being detecting as Backdoor.Trojan. We have since broken out the following additional specific detections:
Figure 1. Backdoor.Rocra distribution
Figure 2. Backdoor.Rocra targets
Below is an example of a spear phishing email associated with this campaign and blocked by Symantec Mail Security for Microsoft Exchange:
Figure 3. Backdoor.Rocra spear phishing email with attachment
Figure 4. Backdoor.Rocra malicious spear phishing attachment
This is not the first time that a high-profile attack campaign has used spear phishing emails and, as a popular method, it likely will not be the last . However, we are now seeing increased adoption of watering hole attacks being used in campaigns (compromising certain websites likely to be visited by the target organization). For more information on watering hole attacks, read our paper on The Elderwood Project.
We advise users to ensure that operating systems and software are up to date and to avoid clicking on suspicious links and opening suspicious email attachments.
If you want to read more about the Red October campaign, Kaspersky has released a paper entitled "Red October" Diplomatic Cyber Attacks Investigation.