TR-10 - Red October / Sputnik malware

TR-10 - Red October / Sputnik malware

Back to Publications and Presentations

  1. Overview
  2. Detection
  3. Proactive measures
  4. Reactive measures
  5. Resources
  6. Classification Of This Document

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

Red October is a malware family, also named Sputnik, which was detected in October 2012 by Kaspersky. It was active since 2007, installations have been spotted around the globe and targets were diplomatic and governmental agencies. The malware usually was sent by email to selected people in the respective organizations. As a cover, different office file formats have been used to transport the loader of the malware, using different exploits to drop the malicious content. After several stages of unpacking, the malware is running persistently on the computer and only when it successfully probes internet connectivity, it decrypts a separate file and starts to behave maliciously: it connects to a Command and Control server, awaiting new commands or downloading and executing specific malware modules.

Detection

Currently, the domains in this document are known to be used for Command and Control activity.

Any hit in your organisation’s Proxy or DNS log files or firewall logs during the last 6 years indicate a compromised host in your organization.

Proactive measures

Block access to below mentioned domains and IP addresses.

Reactive measures

Review log files, also those from backups regarding hits on the domains / IP addresses. In case of a hit, identify and isolate the machine by unplugging it from the network. CIRCL can assist with the analysis of memory and file system dumps.

Resources

Red October domains

bb-apps-world.com
blackberry-apps-world.com
blackberry-update.com
csrss-check-new.com
csrss-update-new.com
csrss-upgrade-new.com
dailyinfonews.net
dll-host-check.com
dll-host-udate.com
dll-host-update.com
dll-host.com
dllupdate.info
drivers-check.com
drivers-get.com
drivers-update-online.com
genuine-check.com
genuineservicecheck.com
genuineupdate.com
hotinfonews.com
microsoft-msdn.com
microsoftcheck.com
microsoftosupdate.com
mobile-update.com
mobileimho.com
mobileimho.ru
ms-software-check.com
ms-software-genuine.com
ms-software-update.com
msgenuine.net
msinfoonline.org
msonlinecheck.com
msonlineget.com
msonlineupdate.com
new-driver-upgrade.com
nt-windows-check.com
nt-windows-online.com
nt-windows-update.com
os-microsoft-check.com
os-microsoft-update.com
osgenuine.com
security-mobile.com
shellupdate.com
svchost-check.com
svchost-online.com
svchost-update.com
update-genuine.com
win-check-update.com
win-driver-upgrade.com
windows-genuine.com
windowscheckupdate.com
windowsonlineupdate.com
wingenuine.com
wins-driver-check.com
wins-driver-update.com
wins-update.com
winupdateonline.com
winupdateos.com
world-mobile-congress.com
xponlineupdate.com

Red October IPs

31.41.45.119
176.9.241.254
141.101.239.225
178.63.208.49
188.40.19.247
37.235.54.48
78.46.173.15
88.198.85.161
92.53.105.40
31.41.45.119
176.9.241.254
31.41.45.139
91.226.31.40
178.63.208.63

Attribution and technical reports

We want to thank Kaspersky Lab for sharing the information

Classification Of This Document

TLP: WHITE information may be distributed without restriction, subject to copyright controls.