Inception: The Complex Malware that Targets Executives

Back in 2012, Kaspersky Labs released information on a peculiar type of cyber espionage malware that it named Red October. They calculated that, for 5 years, it had been actively gathering information from embassies, scientific institutions, government organizations, oil and energy companies, and aerospace industries. As soon as it was discovered, those operating it shut the program down.

But good malware never dies, it just gets transformed. In May, 2014, Blue Coat Labs discovered a malware program it described as, “one of the most sophisticated malware attacks Blue Coat Labs has ever seen”. They called it, Inception. Interestingly, Inception targetedindividuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials.” Although Blue Coat realized there were clear similarities between Inception and Red October, they didn’t think these similarities were enough to link the two. “It’s hard to believe that the same programmers are responsible for the two code bases.” However, if the two were linked, the developers must have gone through a lot of trouble masking the program by constructing numerous false leads (red herrings).

It is generally agreed that the Red October attacks came from Russia. It was difficult to trace where Inception came from because there were so many false leads. For example, there are comments in Hindi, Farsi, and English. There is even code taken directly from common Chinese APT attacks that seems to exist for the sole purpose of confusing investigators. This and more is why Blue Coat stopped short of saying the attacks were Russia-based. Kaspersky, on the other hand, was not so reticent. They filed their first report on Inception in August, 2014, and named it Cloud Atlas or Red October Part 2.

How it works

No matter how sophisticated a malware program is, it still has to find a way onto the network it wants to attack. Is anyone surprised that the attack vector in the case of Inception was through spear phishing emails? Is it any surprise that one of these emails promised pictures of “Mrs. World” (This email was in Russian so the writer probably meant “Miss World”.) To get these photos, the victim only had to open a Word document. They would get a photo but they would also open the door to the attack. Other spear phishing emails were either in Russian or English. Often they contained information taken directly from some website. One in particular featured an automobile for sale. Oddly, it was the replica of a spear phishing email used in the first Red October attack. But was it placed there as a red herring or because it worked before?

As mentioned, Inception targets executives. There are probably two main reasons for this. First of all, executives have the “keys to the kingdom”: that is, access to the most sensitive information. Secondly, executives, rightly or not, have the reputation of not being very tech savvy and are, thus, easier cybercrime targets. As one writer put it, “the problem for many boards of corporations is that they don’t have the expertise to understand the technical aspect of cyber security and the challenges companies face.”

A Fortune Magazine article takes this idea further. “Top executives don’t realize their systems are vulnerable and don’t understand the risks. Sales figures and new products are top of mind; shoring up IT systems aren’t. “

Now, to give a brief, non-technical idea of how this malware works once it compromises a user. (This is intentionally over-simplified. For those needing more technical details see the Blue Coat White Paper or the information from Kaspersky.)The malware contains payloads that are designed for a wide array of devices, including home routers and mobile devices running iOS, BlackBerryOS, or Android. Once infected, the victim’s device will communicate with the attacker through cloud services. When activated, the malware adds information to the registry to insure that it works at every startup. Upon startup, through a series of convoluted steps, the malware eventually opens a tool which surveys the computer. After gathering the desired information, it sends it to the cloud. All of the information is encrypted. The malware files can rename themselves on a daily basis and update victim information to the cloud. The malware can also receive new instructions from the attacker through the cloud. Files may change their locations to make them more difficult to discover and persist on the system. IP addresses of the attackers change frequently.

All mobile OSs are endangered by this malware. One key way to spearphish mobile device users was to send them an sms message such as the following:

“Get WhatsApp now for your iPhone, Android, BlackBerry or Windows Phone”.

This was followed by a link so that the whole message looked as follows:

“Get WhatsApp now for your iPhone, Android, BlackBerry or Windows Phone: WhatsApp”.

Most users would look at this as a legitimate offer and would click on the link to get the app. Just because a link says it is one thing doesn’t mean it’s not something else. If you hover over the link, you will see that it will take you to this website. However, I could have just as easily led you to a compromised website. An MMS phishing exploit was a little more complicated. The malware first identified the mobile operator and then choose which service provider logo to display with its message. The following providers were among the many used.

isp logos

In any event, clicking on the link would download the malware. It appears the main purpose of the malware was to record phone calls, since recorded calls were put in mp4 files and uploaded to the cloud. In addition, the malware can retrieve

  • Account data
  • Location
  • Contacts
  • External and Internal Storage (files written)
  • Audio (microphone)
  • Outgoing calls
  • Incoming calls
  • Call log
  • Calendar
  • Browser bookmarks
  • Incoming SMS

The same basic vulnerabilities exist for Apple and Blackberry devices with the exception that Apple devices must first be jailbroken.

Although the original Red October disappeared after it was discovered, it likely left traces on infected computers that it could use to renew the attack at a later time. Kaspersky believes that this current campaign will not end so easily. Too much time and money has been spent on developing it. “The amount of layers used in this scheme to protect the payload of their attack seems excessively paranoid. This suggests that this is a large campaign and we’re only seeing the beginning of it.” Not only that, but Kaspersky expects that this sophisticated malware, which, in the past, has mainly targeted information, will crossover to the criminal world. Why take money from one person’s bank account when you can use sophisticated malware to take money from the bank directly?

Companies and agencies, even remotely connected to the larger firms and institutions that the malware designers are interested in, may be in the line of fire as well. It is believed that these tenuously connected enterprises may have information that the attackers can use in designing better spear phishing emails. Wouldn’t you be more likely to open an email from one of your business partners, especially when it looked legitimate?

Finally, it can’t be emphasized enough that company executives are in the crosshairs. They will be sought after in any number of ways. Darkhotel APT was a malware that targeted high profile individuals (corporate executives: CEOs, senior vice presidents, sales and marketing directors, and top R&D staff) who tended to stay in certain upscale hotels. The malware developers realized that these people would probably use the hotel’s Wi-Fi network and compromised it. They would then use typical spear phishing techniques (often telling the user they needed to update a common program like Adobe) to infect the user’s device with spy malware. Darkhotel went after information. Once it got that information, it would disappear and no one was the wiser, certainly not the executives who naively believed the luxury hotel’s Wi-Fi network must be safe. Inception can do what Darkhotel did and more. To put it bluntly, instead of blaming nation-states for cyber espionage attacks, it’s time for executives to accept some of the responsibility for what happens to them and their companies because of their own carelessness. In the final analysis the attackers can’t succeed unless they have someone on the inside, like these executives, to give them the assistance they need.

_______________________________________________________

How to Protect Your Company from Naïve Employees

Let’s face it, a lot of employees don’t really know how to behave in a responsible manner when it comes to security. That might be fine if they only endanger themselves, but, if they are connected to your network through a mobile device, like many employees are these days, their lack of technical know-how can put your company and all its most sensitive data at risk. Modern developments in cyber security have eliminated the need to monitor your employees’ behavior while online. There is no longer any excuse for a company losing data because of one employee’s mistake. If you are a corporate executive, you are only one step away from securing your network from even the most sophisticated malware attacks.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s