Kaspersky Labs Uncover Java Exploit in the Red October Malware
The investigating agency Kaspersky Labs uncovered in mid January that the Red October attackers used the Rhino exploit in Java as an additional delivery vector.
Red October ("Rocra"), a five year malware campaign named after the novel "The Hunt for Red October", is still active. It has successfully infiltrated the computer networks and mobile devices of the diplomatic, governmental and scientific research organizations in 39 countries. It steals highly sensitive information such as geopolitical data and intelligence from the infected network systems.
Kaspersky Labs has published a detailed analysis of the Java delivery vector. Their researchers have uncovered that the attackers exploit the Java vulnerability -- the Rhino exploit. It is a flaw in Java runtime that allows untrusted Java Web Start applications and untrusted applets to execute malicious scripts. The attackers' modus operandi sends e-mails with an embedded link directing the potential victims to a specially crafted PHP page. The Kaspersky Labs' report explains that the attack involves three stages. In the first stage, the PHP script on Rocra's server encrypts a URL to feed it off to a Java applet. The applet itself contains the decryption key and constructs the URL through which a downloader executable is written to the victim's disk and run there.
In the second and third stages of the attack, the downloaded module manipulates Windows registry values and establishes connection through another downloaded module for posting HTTP requests to the attackers' Command-and-Control (C&C) servers at frequent regular intervals.
The seculert blog says that "The JAR file of the Java exploit was compiled in February 2012, even though the patch for the vulnerability was available as of October 2011, yet another example of attackers making use of known vulnerabilities.".
In October 2012, one of the Kaspersky Lab's partners (Kaspersky Labs did not disclose their name) pointed them to some spear phishing (a Phishing attempt directed at specific individuals or companies) and malware modules. Through their analysis, Kaspersky Labs observed that the sample malware modules manipulated vulnerabilities in Microsoft Word, Microsoft Excel, PDF and Java (through its Rhino exploit) leading the attackers to infect PCs, smartphones, and computer networking equipment. The file formats infected by the malware were extended to include .cer, .crt, .txt and several more.
The distinction between the Rocra malware and the previous malwares such as Aurora and Night Dragon is that Rocra is finely tuned based on the victim system's configuration, making it a lot more "personal" and thus more penetrating for information retrieval.
The Kaspersky Lab's vector analysis report mentions
However, it seems that this vector was not heavily used by the group. When we downloaded the php responsible for serving the '.jar' malcode archive, the line of code delivering the java exploit was commented out. ... the victim systems were running an outdated version of Java.
In the context of Java being increasingly targeted by malwares similar to Rocra, Oracle's recent announcement covered by InfoQ at "Oracle Will Stop Providing Security Updates for Java 6 Next Month" becomes of increasingly significant. The general advice though to keep your local Java install up-to-date, and disable Java in the browser until you need it, still holds.
Kaspersky Labs continues to monitor the situation on the Red October malware. The investigating agency group has also released a white paper explaining the detection and mitigation of the Red October threat.
Tom Gilb & Kai Gilb Jan 26, 2015