The malware, called Rocra, has been in existence for at least five years and appears to have been written by Russian speakers using Chinese exploit code that silently installs malware. It was still active in early January.
Among other things, Rocra has been used to steal encrypted files and decryption keys used by the European Union and NATO, said Roel Schouwenberg, a Kaspersky researcher based in Boston.
The malware also can map the internal layout of a computer network and the configuration of routers, and hijack files from thumb drives and smartphones, he said. It records keystrokes, makes screenshots, recovers deleted files and encrypts the data it steals. It makes unique identifiers for each target to more easily catalogue the stolen data.
Rocra is not as sophisticated as Flame, which spread through Windows software updates. But Schouwenberg said it appears to be far more elegant than the “rudimentary” malware coming from China, which has been used to siphon vast amounts of proprietary data from companies and governments around the world.
Kaspersky’s researchers began analyzing the malware in October and determined that it was targeting organizations mostly in Eastern Europe, but also in Western Europe, Central Asia and North America. Targets include trade and commerce organizations, nuclear and energy research groups, oil and gas companies, and the aerospace industry. They also include a handful of non-U.S. diplomatic organizations inside the United States.
The lab does not know who is behind the malware — whether it is a national government, for example, or criminals looking to sell the data to a government.
“Over the past six months, we’re starting to notice a pattern where cybercriminals are stealing information from a bigger scope of targets,” Schouwenberg said.
The lab has counted several hundred infections worldwide, with Russia and other Eastern European countries leading the list. But Iran and the United States also have been hit, according to the report.
Researchers said it is likely there are far more targets that they have been unable to detect.