Red October is a malware family, also named Sputnik, which was detected in October 2012 by Kaspersky. It was active since 2007, installations have been spotted around the globe and targets were diplomatic and governmental agencies. The malware usually was sent by email to selected people in the respective organizations. As a cover, different office file formats have been used to transport the loader of the malware, using different exploits to drop the malicious content. After several stages of unpacking, the malware is running persistently on the computer and only when it successfully probes internet connectivity, it decrypts a separate file and starts to behave maliciously: it connects to a Command and Control server, awaiting new commands or downloading and executing specific malware modules.
Currently, the domains in this document are known to be used for Command and Control activity.
Any hit in your organisation’s Proxy or DNS log files or firewall logs during the last 6 years indicate a compromised host in your organization.
Block access to below mentioned domains and IP addresses.
Review log files, also those from backups regarding hits on the domains / IP addresses. In case of a hit, identify and isolate the machine by unplugging it from the network. CIRCL can assist with the analysis of memory and file system dumps.
Red October domains
bb-apps-world.com blackberry-apps-world.com blackberry-update.com csrss-check-new.com csrss-update-new.com csrss-upgrade-new.com dailyinfonews.net dll-host-check.com dll-host-udate.com dll-host-update.com dll-host.com dllupdate.info drivers-check.com drivers-get.com drivers-update-online.com genuine-check.com genuineservicecheck.com genuineupdate.com hotinfonews.com microsoft-msdn.com microsoftcheck.com microsoftosupdate.com mobile-update.com mobileimho.com mobileimho.ru ms-software-check.com ms-software-genuine.com ms-software-update.com msgenuine.net msinfoonline.org msonlinecheck.com msonlineget.com msonlineupdate.com new-driver-upgrade.com nt-windows-check.com nt-windows-online.com nt-windows-update.com os-microsoft-check.com os-microsoft-update.com osgenuine.com security-mobile.com shellupdate.com svchost-check.com svchost-online.com svchost-update.com update-genuine.com win-check-update.com win-driver-upgrade.com windows-genuine.com windowscheckupdate.com windowsonlineupdate.com wingenuine.com wins-driver-check.com wins-driver-update.com wins-update.com winupdateonline.com winupdateos.com world-mobile-congress.com xponlineupdate.com
Red October IPs
184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
Attribution and technical reports
We want to thank Kaspersky Lab for sharing the information
- Red October Diplomatic Cyber Attacks Investigation
- Red October Detailed Malware Description 1 First Stage of Attack
- Red October Detailed Malware Description 2 First Stage of Attack
- Red October Detailed Malware Description 3 First Stage of Attack
- Red October Detailed Malware Description 4 First Stage of Attack
- Red October Detailed Malware Description 5 First Stage of Attack
Classification Of This Document
TLP: WHITE information may be distributed without restriction, subject to copyright controls.