# “Red October” – Part Two, the Modules **securelist.com/red-october-part-two-the-modules/57645** [Incidents](https://securelist.com/category/incidents/) [Incidents](https://securelist.com/category/incidents/) 17 Jan 2013 minute read ----- Authors GReAT Earlier this week, we published our report on “Red October”, a high-level cyber-espionage campaign that during the past five years has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations. In [part one, we covered the most important parts of the campaign: the anatomy of the attack,](https://securelist.com/the-red-october-campaign/57647/) a timeline of the attacker’s operation, the geographical distribution of the victims, sinkhole information and presented a high level overview of the C&C infrastructure. Today we are publishing part two of our research, which comprises over 140 pages of technical analysis of the modules used in the operation. When analyzing targeted attacks, sometimes researchers focus on the superficial system infection and how that occurred. Sometimes, that is sufficient, but in the case of Kaspersky Lab, we have higher standards. This is why our philosophy is that it’s important to analyze not just the infection, but to answer three very important questions: What happens to the victim after they’re infected? What information is being stolen? Why is “Red October” such a big deal compared to other campaigns like Aurora or Night Dragon? ----- According to our knowledge, never before in the history of ITSec has an cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration. In most cases, the analysis is compromised by the lack of access to the victim’s data; the researchers see only some of the modules and do not understand the full purpose of the attack or what was stolen. To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months. This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack. ----- The research that we are publishing today is perhaps the biggest malware research paper ever. It is certainly the most complex malware research effort in the history of our company and we hope that it sets new standards for what anti-virus and anti-malware research means today. Because of its size, we’ve split “part 2” in several pieces, to make reading easier: ----- ## First stage of attack 1. [Exploits](https://securelist.com/red-october-detailed-malware-description-1-first-stage-of-attack/36830/) 2. [Dropper](https://securelist.com/red-october-detailed-malware-description-1-first-stage-of-attack/36830/) 3. [Loader Module](https://securelist.com/red-october-detailed-malware-description-1-first-stage-of-attack/36830/) 4. [Main component](https://securelist.com/red-october-detailed-malware-description-1-first-stage-of-attack/36830/) ## Second stage of attack 1. [Modules, general overview](https://securelist.com/red-october-detailed-malware-description-2-second-stage-of-attack/36842/) 2. [Recon group](https://securelist.com/red-october-detailed-malware-description-2-second-stage-of-attack/36842/) 3. [Password group](https://securelist.com/red-october-detailed-malware-description-3-second-stage-of-attack/36802/) 4. [Email group](https://securelist.com/red-october-detailed-malware-description-3-second-stage-of-attack/36802/) 5. [USB drive group](https://securelist.com/red-october-detailed-malware-description-3-second-stage-of-attack/36802/) 6. [Keyboard group](https://securelist.com/red-october-detailed-malware-description-3-second-stage-of-attack/36802/) 7. [Persistence group](https://securelist.com/red-october-detailed-malware-description-4-second-stage-of-attack/36884/) 8. [Spreading group](https://securelist.com/red-october-detailed-malware-description-4-second-stage-of-attack/36884/) 9. [Mobile group](https://securelist.com/red-october-detailed-malware-description-5-second-stage-of-attack/36879/) 10. [Exfiltration group](https://securelist.com/red-october-detailed-malware-description-5-second-stage-of-attack/36879/) [Malware Descriptions](https://securelist.com/tag/malware-descriptions/) [Microsoft](https://securelist.com/tag/microsoft/) [Microsoft Windows](https://securelist.com/tag/microsoft-windows/) [Mobile Malware](https://securelist.com/tag/mobile-malware/) [Spear phishing](https://securelist.com/tag/spear-phishing/) [Targeted attacks](https://securelist.com/tag/targeted-attacks/) Authors GReAT “Red October” – Part Two, the Modules Your email address will not be published. Required fields are marked * GReAT webinars 13 May 2021, 1:00pm ### GReAT Ideas. Balalaika Edition ----- 26 Feb 2021, 12:00pm 17 Jun 2020, 1:00pm 26 Aug 2020, 2:00pm 22 Jul 2020, 2:00pm From the same authors ### APT trends report Q2 2021 ----- ### Arrests of members of Tetrade seed groups Grandoreiro and Melcoz Ferocious Kitten: 6 years of covert surveillance in Iran Bizarro banking Trojan expands its attacks to Europe ----- ### APT trends report Q1 2021 Subscribe to our weekly e-mails The hottest research right in your inbox ----- Reports ### Kimsuky’s GoldDragon cluster and its C2 operations Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea. ### VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges VileRAT is a Python implant, part of an evasive and highly intricate attack campaign against foreign exchange and cryptocurrency trading companies. ### Andariel deploys DTrack and Maui ransomware Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly. ----- ### Targeted attack on industrial enterprises and public institutions Kaspersky ICS CERT experts detected a wave of targeted attacks in several East European countries, as well as Afghanistan. Of the six backdoors identified on infected systems, five have been used earlier in attacks attributed to APT TA428. Subscribe to our weekly e-mails The hottest research right in your inbox ----- -----