Rocra is the latest in spyware attacking government entities around the world. The virus is a new piece of malware that Russian security firm Kaspersky Lab has discovered. It’s flown under the radar for five years — and it is still in use to this day.
Rocra, short for Red October, spies on governments with a number of “info-stealing modules,” or facets of the malware that nab and send back documents and other data from that computer. Created in 2007, it steals the usual data suspects, such as documents, PDFs, and a number of other file types, but it also specifically looks for the extension “acid.” This is created by an encryption program called Acid Cryptofiler used by NATO and some European Union organizations.
Cyber-espionage has become a big concern, as more reports of state-sponsored attacks surface. While there’s thus far no evidence to suggest that this is a state-sponsored attack, governments such as the United States are getting more serious about cyber-attacks and talking about beefing up preparation for them. Recently, outgoing Defense Secretary Leon Panetta said that we could be facing a “cyber-Pearl Harbor.”
Kaspersky belives that the malware writers are likely Russian-speaking, given a number of Russian phrases that show up in the malware’s code.
Kaspersky does not outright name the organizations that were infected by Rocra, but it did specify that the malware targets government organizations, scientific research organizations, embassies, and consulates. The majority of these infections were in Eastern Asia, though Kaspersky did find some in Western Europe and North America. The research firm discovered this by monitoring its cloud security tools and setting up a “sinkhole server,” or a server that monitors all traffic going in and out of the malware’s command and control server. From the sinkhole, Kaspersky learned that IP addresses out of Switzerland, Kazakhstan, and Greece contacted the command and control server most frequently.
The malware can also “resurrect” itself once a previously infected computer is wiped. When it is first installed, Rocra adds itself as a plug-in to Microsoft Word and Adobe Reader, according to Kaspersky. After the machine is “clean,” the attacks can send a document to the computer that revitalizes the virus when opened.
Furthermore it attacks more than just regular computers; it can also steal information from mobile phones (including the iPhone and Windows phones) as well as record data from network switches and routers.
A computer is infected with the malware through a simple social engineering attack. That is, the criminals will send a phishing email to their target in the hopes that they open an attachment.