Its level of sophistication is such that it has the ability to reach far beyond hijacking local data specific to one machine, and it’s able to evade detection by applying user context to its phishing emails.
“The malware contained many of the traditional functions associated with malware, such as key logging,” Tom Goren Bar, data security researcher at Imperva, noted in a blog post. “But focusing on these traditional capabilities misses a key point: hijacking local data, such as files and credentials, was the means – but not the end.”
Bar said that Rocra’s modules are capable of reaching FTP servers and remote network shares beyond local disk drives – thus the ability to copy files from these resources. “The potential bounty that can be extracted from such victims is varied both in content and in type: documents and presentations of meeting summaries and strategic plans, database financial records, CRM records, technical blueprints of weapons and infrastructure, sensitive email conversations and more,” he said.
Worse, the malware is written to sift through data on an ongoing basis. Rocra has specific modules for each of the elements needed for an APT attack: Reconnaissance gathering, spreading, persistence maintenance, data extraction and data exfiltration. Unlike simply using the “Recon” data collection modules employed by most APTs, which require an attacker to manually execute them on a per-use basis to uncover sensitive information, the “Exfiltration” modules in Rocra are designed to run repeatedly, automatically – and to bring only new, valuable data.
Meanwhile, to get into its targets, arguably some of the most threat-aware out there (government, military, scientific labs, aeronautical, energy) took some doing. The infiltration into the networks and end points of the victims was conducted using vulnerable Excel and Word documents attached to carefully crafted email messages. But a simple phishing email would immediately be seen as suspicious. So Rocra, Bar uncovered, recycles stolen data from victims of the same sector to make its spear phishing emails less suspicious by incorporating some context that would be familiar to the victim.
“It is reasonable to assume that the identity of the victim was also used to send the email with his positive reputation and appearance,” Bar said.
These targeted social engineering messages thus easily bypassed “perimeter” security measures.
“New software exploits will always be around to help circumvent perimeter security measures,” Bar said. “DLP solutions were also probably defeated in this attack since Rocra implements a propriety data transmission protocol with the C&C that change both file content and file size. However, data access patterns are difficult to change. Automation, among other attributes of data access, provides the attacker with speed and volume and cannot be discarded.”
The main purpose of the Rocra operation, first revealed by Kaspersky Lab, was the gathering of classified information and geopolitical intelligence. During the past five years, the attackers have collected information from hundreds of high-profile victims, on mobile devices, computer systems, removable files and other network equipment in a variety of locations in Eastern Europe, former USSR states and countries in Central Asia, but also in Western Europe and North America.
As far as the perpetrators go, Kaspersky said evidence suggests that it has been a collaborative effort. The exploits appear to have been created by Chinese hackers, while the malware modules have been created by Russian-speaking operatives.