"Operation Red October" – The Java Angle

Yesterday, Kaspersky Labs (KL) revealed a cyber espionage operation dubbed “Red October”. According to the report, KL identified several hundred infections worldwide, primarily effecting government networks and diplomatic institutions located in Eastern Europe. As part of the operation, attackers sent spear phishing emails which contained an attached document. When opened, the documents exploited known vulnerabilities, and silently installed the malware.

After investigating the Command-and-Control (C2) servers used in the “Red October” campaign, Seculert identified a special folder used by the attackers for an additional attack vector. In this vector, the attackers sent an email with an embedded link to a specially crafted PHP web page (Figure 1). This webpage exploited a vulnerability in Java (CVE-2011-3544), and in the background downloaded and executed the malware automatically.

Figure 1: “Red October” web page exploiting Java vulnerability

The JAR file of the Java exploit was compiled in February 2012, even though the patch for the vulnerability was available as of October 2011, yet another example of attackers making use of known vulnerabilities.

While the attack using Java occurred around February 2012, sometime between then and now attackers have moved from using PHP as their server side scripting engine, to CGI. As described in the KL report, the malware now communicates with the Command-and-Control servers through server-side scripts under the “cgi-bin” directory.

Unfortunately for the attackers, after moving their server-side engine to CGI, accessing the PHP exploit web pages now displays the source code of the server side, instead of rendering the exploit (Figure 2). This allowed us to take a sneak peak to the “behind the scenes” of their operation.

Figure 2: “Red October” server-side PHP code

The server side source code of the exploit (Figure 3) reveals that the malware payload URL is encoded before it is passed to the Java applet. When the client is exploited, the URL gets decoded and the malware gets downloaded. In addition, the code also logs all the victims visit information to a log file.

Looking at the server side source code of the malware payload page (Figure 4), we can see that the attackers are adding a fingerprint at the end of the malware executable, which includes the unique identifier of the targeted victim. This is the same unique identifier which is used by the malware later on while communicating with the C2 servers.

Figure 3: “Red October” code serving Java exploit

Figure 4: “Red October” payload server-side code with a unique fingerprint

And finally, the Java exploit campaign seems to include a “news theme”. From the “We Can Find All News!” page title (Figure 1), through the Java JAR and class name and all the way to the malware payload URL (Figure 2). Similarly, Flame was another APT campaign which also included a news theme, with its “NewsForYou” server side control handler. But, this could just be a coincidence. Or, is it?

Is your network compromised? Take a free trial of Seculert and discover threats your other security solutions have missed.