Called "Rocra", short for "Red October", which refers to the silent submarine at the center of Tom Clancy's 1984 novel "The Hunt for Red October", the malware is the front line of an espionage work that targeted government, research, nuclear energy, military, aerospace, oil and gas as well as trade and commerce institutions primarily in countries of the former Soviet Union, Eastern Europe, as well as Central Asia.
Kaspersky, which said that it has found first evidence of the existence of Red October, whose complexity and sophistication it compares with the Flame malware, identified more than "60 domain names and several server hosting locations in different countries (mainly Germany and Russia)" as a command and control infrastructure , which is set up as "a chain of servers working as proxies and hiding the location of the true -mothership- command and control server".
According to the security researchers, Red October not only attacks PCs, but also smartphones, including iPhone, Nokia-branded phones and Windows Mobile devices, and can dump Cisco enterprise network equipment configurations, hijack files from removable disk drives, including deleted files via its own data recovery capability, steal e-mail databases from local Outlook storage or a remote POP/IMAP server and pull files from local network FTP servers. It appears that the software is mainly based on the exploitation of three Microsoft vulnerabilities, CVE-2009-3129 (Excel), CVE-2010-3333 (Word) and CVE-2012-0158 (Word).
Kaspersky did not say how many computers may be infected by Red October, but mentioned that it found most systems in the area of Russia (35), followed by Kazakhstan (21), Azerbaijan (15), Belgium (15) and India (15). Six infected systems were found in the U.S. The company said that the exploits used by Red October have been developed most likely by Chinese hackers, while malware modules appear to have been created by Russian hackers.
