The main purpose of the Rocra operation appears to be the gathering of classified information and geopolitical intelligence. During the past five years, the attackers have collected information from hundreds of high-profile victims, on mobile devices, computer systems, removable files and other network equipment in a variety of locations in Eastern Europe, former USSR states and countries in Central Asia, but also in Western Europe and North America.
As far as the perpetrators go, Kaspersky said that evidence suggests that it has been a collaborative effort. The exploits appear to have been created by Chinese hackers, while the malware modules have been created by Russian-speaking operatives.
However, “there is no evidence linking this with a nation-state sponsored attack,” Kaspersky said. “The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground [black market] and sold to the highest bidder, which can be of course, anywhere.”
In terms of Rocra’s architecture, Kaspersky has uncovered more than 1,000 modules belonging to 30 different categories, with the most recent being compiled on Jan. 8, 2013. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly in Germany and Russia). The command and control infrastructure is actually a chain of servers working as proxies and hiding the location of the true mothership, Kaspersky has uncovered.
“Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007,” Kaspersky said.
The attack is made up of spear-phishing, malware installation and exploits. The main malware body acts as a point of entry into the system that can later download modules used for lateral movement. After initial infection, the malware won't propagate by itself – typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules that can compromise other computers in the network, for instance, by using the MS08-067 exploit.
“We have observed the use of at least three different exploits for previously known vulnerabilities: CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word),” Kasppersky explained. “The earliest known attacks used the exploit for MS Excel and took place in 2010 and 2011, while attacks targeting the MS Word vulnerabilities appeared in the summer of 2012.”
Some of Rocra’s commands include:
- Once a USB drive is connected, it searches and extracts files by mask/format, including deleted files. Deleted files are restored using a built-in file system parser
- Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, and browsing history
- Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component
- Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
- Record all keystrokes, make screenshots
- Execute additional encrypted modules according to a pre-defined schedule
- Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials
Incidentally, the exploits from the documents used in spear phishing were created by other attackers and employed during different cyber attacks against Tibetan activists, as well as military and energy sector targets in Asia. The only thing that was changed is the executable that was embedded in the document; the attackers replaced it with their own code.
The security firm also found that information harvested from infected networks is reused in later attacks. “For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations,” it said.
Kaspersky plans to release a thorough forensic report later in the week.