A new version of COMpfun remote accessibility trojan (RAT) has been identified in the wild that utilizes HTTP status codes to command compromised programs qualified in a new marketing campaign from diplomatic entities in Europe.
The cyberespionage malware—traced to Turla APT with “medium-to-lower level of confidence” based on the record of compromised victims—spread by means of an initial dropper that masks alone as a visa software, the World Research and Analysis Group at Kaspersky found.
The Turla APT, a Russian-based mostly danger group, has a long record of carrying out espionage and watering gap attacks spanning numerous sectors, together with governments, embassies, armed service, training, exploration, and pharmaceutical organizations.
Initial documented by G-Info in 2014, COMpfun obtained a sizeable upgrade previous year (known as “Reductor”) following Kaspersky located that the malware was utilized to spy on a victim’s browser activity by staging guy-in-the-middle (MitM) attacks on encrypted internet targeted traffic through a tweak in the browser’s random quantities generator (PRNG).
In addition to working as a absolutely-showcased RAT capable of capturing keystrokes, screenshots, and exfiltrating sensitive info, this new variant of COMpfun screens for any removable USB gadgets plugged to the contaminated systems to unfold additional and gets instructions from an attacker-controlled server in the kind of HTTP status codes.
“We observed an appealing C2 conversation protocol employing rare HTTP/HTTPS position codes (look at IETF RFC 7231, 6585, 4918),” the researchers reported. “A number of HTTP position codes (422-429) from the Customer Error class allow the Trojan know what the operators want to do. Just after the management server sends the position ‘Payment Required’ (402), all these formerly received commands are executed.”
HTTP standing codes are standardized responses issued by a server in response to a client’s request made to the server. By issuing remote instructions in the variety of status codes, the thought is to obfuscate any detection of malicious action while scanning net traffic.
“The authors keep the RSA public key and special HTTP ETag in encrypted configuration information. Developed for internet written content caching causes, this marker could also be employed to filter undesirable requests to the C2, e.g., individuals that are from community scanners instead than targets.”
“To exfiltrate the target’s facts to the C2 over HTTP/HTTPS, the malware makes use of RSA encryption. To conceal data domestically, the Trojan implements LZNT1 compression and a single-byte XOR encryption.”
Although the specific modus operandi powering how the destructive visa software is sent to a target remains unclear, the initial dropper, upon download, runs the up coming phase of malware, which communicates with the command-and-regulate (C2) server working with an HTTP position-based mostly module.
“The malware operators retained their focus on diplomatic entities, and the option of a visa-similar application — stored on a directory shared inside the neighborhood community — as the preliminary an infection vector worked in their favor,” Kaspersky scientists concluded.
“The mix of a tailored method to their targets and the potential to generate and execute their strategies surely makes the builders at the rear of COMpfun a powerful offensive group.