Red October is a malware family, also named Sputnik, which was detected in October 2012 by Kaspersky. It was active since 2007, installations have been spotted around the globe and targets were diplomatic and governmental agencies. The malware usually was sent by email to selected people in the respective organizations.
As a cover, different office file formats have been used to transport the loader of the malware, using different exploits to drop the malicious content. After several stages of unpacking, the malware is running persistently on the computer and only when it successfully probes internet connectivity, it decrypts a separate file and starts to behave maliciously: it connects to a Command and Control server, awaiting new commands or downloading and executing specific malware modules.
Currently, the domains in this document are known to be used for Command and Control activity.
Any hit in your organisation's Proxy or DNS log files or firewall logs during the last 6 years indicate a compromised host in your organization.
- Block access to below mentioned domains and IP addresses.
- Reactive measures
- Review log files, also those from backups regarding hits on the domains / IP addresses. In case of a hit, identify and isolate the machine by unplugging it from the network. CIRCL can assist with the analysis of memory and file system dumps.
Via Gust MEES