----- The following picture clearly shows how the targeted attack happens in the Red October Campaign. #### Microsoft Document Exploitation (CVE-2012-0158, CVE-2010-3333, CVE-2009-3129): The phishing email contains an attachment with the malicious office document. This file, when opened, exploits one of the above mentioned vulnerabilities and drops the payload file “msmx21.exe”. #### Payload Information: After successful exploitation of the vulnerability, the embedded executable file (msmx21.exe) is dropped in the %temp% folder. msmx21.exe creates and executes the following files: %Temp%\msc.bat %ProgramFiles%\Windows NT\svchost.exe %ProgramFiles%\Windows NT\wsdktr.ltp (Encrypted payload) -> random name ----- The use of “chcp 1251” in the batch file is to switch the codepage of an infected system to handle Cyrillic characters. This might suggest that either the attack originates from Russia or was also targeted towards government agencies in Russia. Svchost.exe is an installer component that decrypts and loads the main backdoor (wsdktr.ltp). It connects to the following Microsoft hosts to check for a live Internet connection: update.microsoft.com www.microsoft.com support.microsoft.com wsdktr.ltp is an encrypted executable file (UPX packed dll) that is decrypted and loaded into memory by svchost.exe. The use of “chcp 1251” in the batch file is to switch the codepage of an infected system to handle Encrypted wsdktr.ltp file: Decrypted file: ----- in the following image. The following domains are used for C&C : nt-windows-online.com nt-windows-update.com nt-windows-check.com csrss-check-new.com #### Exploitation Using Java (CVE-2011-3544): In Java Rhino Script Engine Vulnerability, security manager is disabled during JavaScript execution, which would enable full permission to the system during its execution. When the user clicks the link that came through the spam mail, the exploit would be triggered on the vulnerable system. The downloaded payload creates and executes the following files: %Temp%\ tmp42e76b5f.bat -> random name %Application Data%\Keucot\ qagi.exe -> random name %Application Data%\ Okurp \ dezaa.ufy-> random name (encrypted content) The following debugged code shows the batch being created while execution. The following domains are used for C&C : The batch file has the following content: The following debugged code shows the batch being created while execution. ----- activities in the targeted browsers (Chrome, Firefox, Safari, and IE). activities in the targeted browsers (Chrome, Firefox, Safari, and IE). ### Restart Mechanism #### Description The following registry entry would enable the Trojan to execute every time when Windows starts. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" "C:\WINDOWS\system32\userinit.exe,""C:\WINDOWS\system32\userinit.exe, C:\Program Files \WindowsNT\svchost.exe" #### 5% 7% 86% ----- Settings\Home\Application Data\Keucot\qagi.exe"" #### Mitigation Users are requested to exercise caution while opening unsolicited emails and unknown links. Users are advised to update Windows and third-party application security patches and virus definitions on a regular basis and have proper filtering rules. - Use Access Protection Rules from accessing such run keys. - Please keep your anti-virus updated. - Keep software up-to-date with the latest available patches. - It is advisable to use your firewall to monitor unusual traffic. - Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives. ### Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities. You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx © 2011 McAfee, Inc. All rights reserved. -----