Rocra, which is short for Red October, was detected by Kaspersky. Kaspersky started to look into the malware last year in October. They found that a group of hackers were using exploits in order to steal information worldwide from high level departments.
They also believe that the attacks have been occurring for over five years.
How does it work?
The malware operates by using exploits in Microsoft Word and Excel. The primary technique they hackers used is a form of phishing called spear phishing. In a very broad sense, phishing is the act of attempting to acquire information by pretending to be trustworthy. In Rocra’s case they try to get officials to download Word or Excel documents with the exploit in the document. When the document was downloaded, the exploit began working. Rocra has recently been found to use Java exploits to help spread their malware.
The exploit is able to steal shocking amounts of information. It is able to take data from both PCs and smartphones that are connected to the PC. It is able to take files off of removable drives. That includes data that has been deleted. It can copy entire e-mail messages and their attachments. The malware can also act as a key logger on infected machines. The malware can save the browsing history of many browsers like Opera, Internet Explorer, Chrome, and Firefox. It is even able to take screenshots.
Where does it come from?
There is no certainty as to where the virus comes from, but there are some indications that the group that is executing the attacks is Russian speaking. This is only believed because there has been some Russian slang found in the code. However, the exploits themselves were made in China.
So far, it has been detected in over 300 countries in the last two years.
Who is at risk?
The main targets for the malware so far have been high level departments in different countries. So far, it has been detected in over 300 countries in the last two years. It has affected some countries more-so than others. The top three places it was found in were Russia, Kazakhstan, and Azerbaijan. There doesn’t seem to be one particular area that the malware looks for information in either as the infection was found in multiple departments of the places were the virus was found.
For example, in Russia the detections were found in military, energy research, research institutions and embassies. The infections in Japan were found in their embassies and trade and commerce divisions however.
What is the purpose?
With most malware, the goal is to in someway make money. In this case, it is likely that the hackers are selling the information that they gain for profit. However, that is only speculation.
Can I be affected by Rocra?
So far, only high level organizations have been known to be targeted by Rocra. It’s safe to say that most people are at very little risk for infection of the Rocra virus. Everybody is at risk of getting a virus via phishing though. You should always use extreme care when downloading attachments from unknown sources.