Beginning in Russia and spreading quickly to other countries, a new variation on the formerly-dormant Red October malware has been detected by security firms such as
Blue Coat and
Kaspersky this week. The new version -- which is notably targeting smartphones of diplomats, military leaders and business executives -- contains a level of sophistication in the function and code that suggests a rogue state, which would have the resources to assemble the talent, is backing the attack.
As a reference to the many layers of the malware, and as a variation on the book/movie title given to the previous incarnation, Blue Coat has dubbed the new malware "Inception," while Kapersky has opted for the name "Cloud Atlas." The way it works is that phishing emails are sent out to key individuals in industry, finance, military, and other sensitive circles with an attachment that exploits vulnerabilities in Rich Text Format (RTF) announced by Microsoft
in March. The attack does not work on non-jailbroken iOS devices, but could conceivably penetrate jailbroken iPhones and iPads. An iOS version of the malware has been seen on the command-and-control servers, and Windows machines and Macs running outdated versions of Microsoft Office could also be at risk.
Utilizing a large network of compromised routers in South Korea, the malware uploads encrypted information (including recorded calls saved as mp3s) to a free Swedish remote storage service, Cloudme which uses the WebDAV protocol. Blue Coat has noted that they didn't believe Cloudme is an actual part of the organization behind the attack, but the company's free service is simply being utilized by the actual hackers. That avenue will likely be dismantled shortly if it hasn't already been closed off.
In its
announcement on Wednesday, Kaspersky compared and contrasted this cyber-espionage campaign. Similarities and differences are discussed, such as the tactic used to get diplomats to open the infected text file: an offer about a diplomatic car for sale at a good price. The post also discusses how the malware works on Blackberry devices.
When Kaspersky published their findings on Red October back in 2013, the effort was shut down and the C&C network dismantled, presumably by those where were running it. Due to the similarities in style, and the lining up of similar targets, experts at Kaspersky believes the new malware represents efforts by the same group behind "Red October."