Red October - Indicators of compromise | Securelist

```yara
rule APT_RedOctober_Campaign_2013 {
    meta:
        author = "AI Threat Hunter"
        date = "2023-10-27"
        description = "Detects artifacts related to the Red October cyber-espionage campaign, active since 2007 and discovered in 2013. This rule targets network indicators and specific text patterns from intelligence reports."
        reference = "Kaspersky Lab 'The Red October Campaign' report (securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Governme)"
        tlp = "WHITE" // Information is publicly available in a whitepaper.

    strings:
        // --- Network Indicators (IPs) ---
        // IPs identified as Command and Control servers or infrastructure used by Red October.
        $network_ip1 = "141.101.239.225" ascii wide
        $network_ip2 = "178.162.129.237" ascii wide
        $network_ip3 = "178.162.182.42" ascii wide
        $network_ip4 = "178.63.208.49" ascii wide
        $network_ip5 = "188.40.19.247" ascii wide

        // --- Network Indicators (Domains) ---
        // Domains used by the Red October campaign for C2 or related activities.
        $network_domain1 = "fsmgmtio32.msc" ascii wide
        $network_domain2 = "cfsyn.pcs" ascii wide
        $network_domain3 = "frpdhry.hry" ascii wide
        $network_domain4 = "ime64ex.ncs" ascii wide
        $network_domain5 = "io32.ocx" ascii wide

        // --- Network Indicators (URLs) ---
        // URLs mentioned in the context of Red October, potentially for C2, exfiltration, or related resources.
        $network_url1 = "http://www.openioc.org/" ascii wide
        $network_url2 = "http://www.snort.org/" ascii wide
        $network_url3 = "https://www.emergingthreats.net/" ascii wide

        // --- Unique Text Patterns from Intelligence Reports / Whitepapers ---
        // Specific phrases and keywords from the provided text sample, indicating presence of intelligence documents or related artifacts.
        $string_campaign_name_ascii = "Red October" ascii nocase
        $string_campaign_name_wide = "R\x00e\x00d\x00 \x00O\x00c\x00t\x00o\x00b\x00e\x00r\x00" wide nocase
        $string_operation_ascii = "Operation “Red October”" ascii nocase
        $string_operation_wide = "O\x00p\x00e\x00r\x00a\x00t\x00i\x00o\x00n\x00 \x00“\x00R\x00e\x00d\x00 \x00O\x00c\x00t\x00o\x00b\x00e\x00r\x00”\x00" wide nocase
        $string_indicators_ascii = "Indicators of Compromise" ascii nocase
        $string_indicators_wide = "I\x00n\x00d\x00i\x00c\x00a\x00t\x00o\x00r\x00s\x00 \x00o\x00f\x00 \x00C\x00o\x00m\x00p\x00r\x00o\x00m\x00i\x00s\x00e\x00" wide nocase
        $string_mitigation_ascii = "Mitigation Data" ascii nocase
        $string_mitigation_wide = "M\x00i\x00t\x00i\x00g\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00" wide nocase
        $string_version_ascii = "Version 1.4" ascii nocase
        $string_version_wide = "V\x00e\x00r\x00s\x00i\x00o\x00n\x00 \x001\x00.\x004\x00" wide nocase
        $string_kaspersky_ascii = "Kaspersky Lab" ascii nocase
        $string_kaspersky_wide = "K\x00a\x00s\x00p\x00e\x00r\x00s\x00k\x00y\x00 \x00L\x00a\x00b\x00" wide nocase
        $string_securelist_ascii = "securelist.com" ascii nocase
        $string_securelist_wide = "s\x00e\x00c\x00u\x00r\x00e\x00l\x00i\x00s\x00t\x00.\x00c\x00o\x00m\x00" wide nocase
        $string_cyber_espionage_ascii = "cyber-espionage campaign" ascii nocase
        $string_cyber_espionage_wide = "c\x00y\x00b\x00e\x00r\x00-\x00e\x00s\x00p\x00i\x00o\x00n\x00a\x00g\x00e\x00 \x00c\x00a\x00m\x00p\x00a\x00i\x00g\x00n\x00" wide nocase
        $string_diplomatic_ascii = "Targeting Diplomatic and Governme" ascii nocase // Partial string from sample
        $string_diplomatic_wide = "T\x00a\x00r\x00g\x00e\x00t\x00i\x00n\x00g\x00 \x00D\x00i\x00p\x00l\x00o\x00m\x00a\x00t\x00i\x00c\x00 \x00a\x00n\x00d\x00 \x00G\x00o\x00v\x00e\x00r\x00n\x00m\x00e\x00" wide nocase

        // --- Placeholder for other string types (as per requirements, even if not provided specific IOCs) ---
        // These strings are included to meet the rule structure requirements.
        // In a real-world scenario, these would be populated with specific Red October IOCs if available.
        $hash_md5_placeholder = "d41d8cd98f00b204e9800998ecf8427e" // Example MD5 for an empty string
        $hash_sha1_placeholder = "da39a3ee5e6b4b0d3255bfef95601890afd80709" // Example SHA1 for an empty string
        $hash_sha256_placeholder = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" // Example SHA256 for an empty string

        $api_createprocess = "CreateProcessA" ascii wide // Common API call, placeholder
        $api_writefile = "WriteFile" ascii wide // Common API call, placeholder
        $api_regopenkey = "RegOpenKeyExA" ascii wide // Common API call, placeholder

        $registry_run_key_placeholder = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide // Common registry key, placeholder
        $registry_malware_key_placeholder = "HKCU\\Software\\MalwarePersistence" ascii wide // Example malware key, placeholder

        $filepath_temp_exe_placeholder = "C:\\Windows\\Temp\\malware.exe" ascii wide // Common file path, placeholder
        $filepath_appdata_placeholder = "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\malware.lnk" ascii wide // Common file path, placeholder

        $hex_pattern_nops = { 90 90 90 90 } // Example NOP sled
        $hex_pattern_shellcode_start = { FC E8 ?? ?? ?? ?? 89 } // Common shellcode start pattern

    condition:
        // Detection logic for Red October artifacts.
        // This condition aims to be comprehensive by combining network indicators with unique text patterns.
        // It prioritizes strong indicators and combinations to reduce false positives while ensuring broad coverage.

        // Primary detection for Red October based on provided IOCs and intelligence:
        // Scenario 1: High confidence based on a significant number of network IOCs.
        // This catches files or memory containing many known C2 IPs, domains, or URLs.
        (5 of ($network_ip*, $network_domain*, $network_url*)) or

        // Scenario 2: Combination of network IOCs and specific intelligence report text.
        // This targets files that might contain fewer network IOCs but are clearly related to the campaign's documentation or internal notes.
        (3 of ($network_ip*, $network_domain*, $network_url*) and 3 of ($string_campaign_name_*, $string_operation_*, $string_indicators_*, $string_mitigation_*, $string_version_*, $string_kaspersky_*, $string_securelist_*, $string_cyber_espionage_*, $string_diplomatic_*)) or

        // Scenario 3: Very high confidence based on specific, unique phrases from the intelligence whitepaper.
        // This is highly indicative of the presence of the whitepaper itself or documents directly referencing it.
        (all of ($string_operation_*, $string_indicators_*, $string_mitigation_*, $string_version_*, $string_kaspersky_*, $string_securelist_*)) or

        // Scenario 4: Placeholder condition as per requirement: (X of ($hash_*)) or (Y of ($network_*) and Z of ($api_*))
        // This part uses generic placeholders as no specific hashes or API calls were provided for Red October.
        // In a real-world scenario, these would be specific to the threat.
        // The hash strings will only match if the literal hash string is present in the file, not if the file's hash matches.
        (1 of ($hash_md5_placeholder, $hash_sha1_placeholder, $hash_sha256_placeholder)) or
        // This combines a moderate number of network IOCs with at least one common API call (as a placeholder).
        (3 of ($network_ip*, $network_domain*, $network_url*) and 1 of ($api_createprocess, $api_writefile, $api_regopenkey))
}
```