Kaspersky Labs has published a deep-level technical analysis of how Rocra, as it’s known, infiltrated computer networks at diplomatic, governmental and scientific research organizations globally. The report follows the firm’s initial report, covering the anatomy of the attack, the timeline of the attacker’s operation, the geographical distribution of the victims, sinkhole information and a high-level overview of the command-and-control infrastructure.
Kaspersky set up several fake victims around the world and monitored how the attackers handled them over the course of several months, allowing it to collect hundreds of attack modules and tools. The deeper analysis revealed that, as with many malware campaigns, infiltration begins with spear-phishing emails that are sent to the prospective victims. The emails contain an attachment that is either an Excel or Word document, with enticing names. Once the links are clicked, the files execute their payloads, exploiting a variety of vulnerabilities to open the attacked systems to a variety of modules that execute an elaborate second stage of the attack.
During the second stage, a variety of malware modules carry out both persistent-state or one-time functions, all geared toward stripping bare every last shred of potentially compromising information from the attacked machines:
Persistent tasks include:
- Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser
- Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history
- Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Sputnik main component
- Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
- Record all the keystrokes, make screenshots
- Execute additional encrypted modules according to a pre-defined schedule
- Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials
One-time tasks include:
- Collect general software and hardware environment information
- Collect filesystem and network share information, build directory listings, search and retrieve files by mask provided by the C&C server
- Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives
- Extract browsing history from Chrome, Firefox, Internet Explorer, Opera
- Extract saved passwords for Web sites, FTP servers, mail and IM accounts
- Extract Windows account hashes, most likely for offline cracking
- Extract Outlook account information
- Determine the external IP address of the infected machine
- Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials
- Write and/or execute arbitrary code provided within the task
- Perform a network scan, dump configuration data from Cisco devices if available
- Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability
- Replicate via network using previously obtained administrative credential
Kaspersky’s in-depth full report can be downloaded, in all its 140-page glory.
“According to our knowledge, never before in the history of ITSec has an cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration,” the firm said in its blog. “In most cases, the analysis is compromised by the lack of access to the victim’s data; the researchers see only some of the modules and do not understand the full purpose of the attack or what was stolen.”