"Red October". Detailed Malware Description 1. First Stage of Attack

First stage of attack

  1. Exploits
  2. Dropper
  3. Loader Module
  4. Main component

Second stage of attack

  1. Modules, general overview
  2. Recon group
  3. Password group
  4. Email group
  5. USB drive group
  6. Keyboard group
  7. Persistence group
  8. Spreading group
  9. Mobile group
  10. Exfiltration group

1. Exploits

Based on the analysis of known cases, we identified two main ways through which Backdoor.Win32.Sputnik infects the victims. Both methods rely on spear-phishing e-mails which are sent to the prospective victims. The e-mails contain an attachment which is either an Excel or Word document, with enticing names. In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also infiltrated victim network(s) via Java exploitation (MD5:35f1572eb7759cb7a66ca459c093e8a1 - 'NewsFinder.jar'), known as the 'Rhino' exploit (CVE-2011-3544).

The Red October infection diagram

The Excel-based exploit - CVE-2009-3129

This is the oldest known way for Red October to infect computers.

A list of some of the Excel file names can be found below:

File name: MD5:
Katyn_-_opinia_Rosjan.xls bd05475a538c996cd6cafe72f3a98fae
WORK PLAN (APRIL-JUNE 2011).xls f16785fc3650490604ab635303e61de2
EEAS-Staff New contact list (05-25-2011).xls 5f9b7a70ca665a54f8879a6a16f6adde
EEAS New contact list (05-05-2011).xls
Agenda Telefoane institutii si ministere 2011.xls 4bfa449f1a351210d3c5b03ac2bd18b1
Agenda Telefoane institutii si ministere 2011 (2).xls 4ce5fd18b1d3f551a098bb26d8347ffb
FIEO contacts update.xls ec98640c401e296a76ab7f213164ef8c
spisok sotrudnikov.xls d98378db4016404ac558f9733e906b2b
List of shahids.xls dc4a977eaa2b62ad7785b46b40c61281
Spravochnik.xls 5ecec03853616e13475ac20a0ef987b6
Agenda Telefoane&Email institutii si ministere 2011.xls de56229f497bf51274280ef84277ea54
EEAS New contact list (05-05-2011) (2).xls 396d9e339c1fd2e787d885a688d5c646
FIEO contacts update.xls 7e5d9b496306b558ba04e5a4c5638f9f
Telephone.xls c42627a677e0a6244b84aa977fbea15d
List of shahids.xls 1f86299628bed519718478739b0e4b0c
BMAC Attache List - At 11 Oct_v1[1].XLS f0357f969fbaf798095b43c9e7a0cfa7
MERCOSUR_Imports.xls 50bd553568422cf547539dd1f49dd80d
Cópia de guia de telefonos (2).xls cee7bd726bc57e601c85203c5767293c
Programme de fetes 2011.xls ceac9d75b8920323477e8a4acdae2803
12 05 2011 updated.xls 639760784b3e26c1fe619e5df7d0f674
telefonebi.xls d71a9d26d4bb3b0ed189c79cd24d179a
telefonebi.xls dc8f0d4ecda437c3f870cd17d010a3f6

The Excel based exploit is detected by Kaspersky products as Trojan-Dropper.MSWord.Agent.ga. It was apparently used mostly in 2011, with several samples being uploaded to VirusTotal by the victims. For a detection link of various products, check:


Several detections include:

Kaspersky Trojan-Dropper.MSWord.Agent.ga 20120808
McAfee Exploit-MSExcel.u 20120808
Microsoft Exploit:Win32/CVE-2009-3129 20120808
Symantec Bloodhound.Exploit.306 20120808
TrendMicro HEUR_OLEXP.B 20120808

The Excel file properties for all the exploits indicate it has been edited on a system with Simplified Chinese Excel. The exploit appears to have been compiled on 26 Nov 2009:

MIMEType : application/vnd.ms-excel
Company :
ModifyDate : 2009:11:26 03:35:15
TitleOfParts : Sheet1
SharedDoc : No
Author :
CodePage : Windows Simplified Chinese (PRC, Singapore)
Title :
AppVersion : 11.9999
LinksUpToDate : No
ScaleCrop : No
LastModifiedBy : qq
HeadingPairs : ??????, 1
HyperlinksChanged : No
CreateDate : 1996:12:17 01:32:42
Security : None
FileType : XLS
Software : Microsoft Excel

The exact exploit type used by Red October in the XLS files is CVE-2009-3129.

Exploit (CVE-2009-3129) information:

"Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

US-CERT info: https://www.us-cert.gov/cas/techalerts/TA09-314A.html

Patch: http://technet.microsoft.com/en-us/security/bulletin/ms09-nov

The vulnerability exploited by the Red October XLS dropper has been patched by Microsoft in November 2009.

The CVE-2009-3129 exploit and shellcode

Shellcode decryptor in XLS files

The Red October XLS CVE-2009-3129 exploit appears to have been originally developed by Chinese hackers. It was also used in other, unrelated attacks against Tibetan activists and other entities. Its main purpose is to drop and execute a Trojan, which for Red October is in the range of 500-600kB.

The shellcode receives control upon successful exploitation of the vulnerability and proceeds to decrypt itself. Once decrypted, the shellcode in turn decrypts the main malware body (at offset 0x6600 in the XLS files).
The malware is stored in the Excel file at offset 0x6600, in encrypted form:

Encrypted malware payload in XLS files

The malware is encrypted with a simple XOR+ROR algorithm:

void decrypt(unsigned char *tbuf, unsigned long n, int round) {
unsigned char b;
long i;
unsigned short ecx=0x400;
unsigned char a;


for (i=0;i>a) | (b<<(8-a));


The shellcode writes the main "top" Trojan dropper to a file named "Dcs.tmp" and runs it. It will also extract a dummy Excel file which will be shown to the user if the exploit was successful. The dummy Excel is named "~ .xls".

The Word-based exploit - CVE-2010-3333

The CVE-2010-3333 Word-based exploit (RTF files) has been observed in September and October 2012. Example filename / MD5 list related to the attack:

File name: MD5:
arexeio1.doc cb51ef3e541e060f0c56ac10adef37c3
Popa Tatiana -plîngere.doc 6B23732895DAAAD4BD6EAE1D0B0FEF08
La Política de Defensa y el Poder Naval en México OTAN (1).doc 44E70BCE66CDAC5DC06D5C0D6780BA45
Iran, Syria and the balance of power in the Middle East.doc 9F470A4B0F9827D0D3AE463F44B227DB
Diplomatic Staff list.doc 91EBC2B587A14EC914DD74F4CFB8DD0F
Diplomatic Car for Sale - MB 2000.doc 85BAEBED3D22FA63CE91FFAFCD7CC991
Rulers have hostaged parliament to further their personal interest (1).doc B9238737D22A059FF8DA903FBC69C352
Итоги президенства

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *