Early last week researchers at Kaspersky Lab identified Red October, a malware campaign that was stealing data from several countries’ embassies, as well as scientific and government agencies. Kaspersky’s Threatpost has issued an update on the long-running malware operation saying that, following the initial reveal of the setup, command and control domains and servers for Red October started being shut down.
Kaspersky researcher Costin Raiu said “It’s clear that the infrastructure is being shut down. Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation.”
The infrastructure that has been identified as forming part of Red October so far runs to around 60 servers but, according to Raiu, most of these have just been first-level proxies for the operation. There are “several dozen” estimated undiscovered servers that deal with different aspects of the information leeching. There are a large number of modules associated with the malware infection, “…with individual groups of modules tasked with reconnaissance, data collection, infecting mobile devices, etc.”
It has been speculated by Raiu that the servers shutting down, since they are all first-level proxies so far, could just be a period of dormancy which will see Red October resurface with a different layer of servers covering its tracks or perhaps even utilising a new form of malware for the operation.
Source: Ars Technica