Symantec Protections for Red October

An advanced cyber-espionage network targeting high-profile organizations and governments has recently been unveiled. The main attack method being used in this campaign is spear phishing.

The spear phishing emails contain Word document or Excel spreadsheet attachments that exploit three known vulnerabilities in order to compromise computers. The vulnerabilities used are:

Another attack method exploits the Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability (CVE-2011-3544) and is detected as the following:

This exploit is also blocked by our Intrusion Prevention Signatures:

Initially, samples of this malware were being detecting as Backdoor.Trojan. We have since broken out the following additional specific detections:

Figure 1. Backdoor.Rocra distribution
 

Figure 2. Backdoor.Rocra targets
 

Below is an example of a spear phishing email associated with this campaign and blocked by Symantec Mail Security for Microsoft Exchange:
 

Figure 3. Backdoor.Rocra spear phishing email with attachment
 

Figure 4. Backdoor.Rocra malicious spear phishing attachment
 

This is not the first time that a high-profile attack campaign has used spear phishing emails and, as a popular method, it likely will not be the last . However, we are now seeing increased adoption of watering hole attacks being used in campaigns (compromising certain websites likely to be visited by the target organization). For more information on watering hole attacks, read our paper on The Elderwood Project.

We advise users to ensure that operating systems and software are up to date and to avoid clicking on suspicious links and opening suspicious email attachments.

If you want to read more about the Red October campaign, Kaspersky has released a paper entitled "Red October" Diplomatic Cyber Attacks Investigation.