Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
COMpfun authors spoof visa application with HTTP status-based Trojan
COMpfun authors spoof visa application with HTTP status-based Trojan
harlan4096 Online
MalWare Zoo Team
*******
Posts: 15,352
Threads: 9,929
Thanks Received: 9,193 in 7,345 posts
Thanks Given: 10,043
Joined: 12 September 18
#1
Bug  17 May 20, 06:39
Quote:
[Image: sl_compfunreductor_01.jpg]

You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic. If you’re wondering whether the actor behind the malware is still developing new features, the answer is yes. Later in November 2019 our Attribution Engine revealed a new Trojan with strong code similarities. Further research showed that it was obviously using the same code base as COMPFun.

What’s of interest inside

The campaign operators retained their focus on diplomatic entities, this time in Europe, and spread the initial dropper as a spoofed visa application. It is not clear to us exactly how the malicious code is being delivered to a target. The legitimate application was kept encrypted inside the dropper, along with the 32- and 64-bit next stage malware.We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918).

Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status “Payment Required” (402), all these previously received commands are executed.

The authors keep the RSA public key and unique HTTP ETag in encrypted configuration data. Created for web content caching reasons, this marker could also be used to filter unwanted requests to the C2, e.g., those that are from network scanners rather than targets. Besides the aforementioned RSA public key to communicate with the C2, the malware also uses a self-generated AES-128 key.

Who is the author?

We should mention here once again that the COMPfun malware was initially documented by G-DATA in 2014; and although the company did not identify which APT was using the malware. Based mostly on victimology, we were able to associate it with the Turla APT with medium-to-low level of confidence.

What the Trojan is able to do

Its functions include the ability to acquire the target’s geolocation, gathering host- and network-related data, keylogging and screenshots. In other words, it’s a normal full-fledged Trojan that is also capable of propagating itself to removable devices.

As in previous malware from the same authors, all the necessary function addresses resolve dynamically to complicate analysis. To exfiltrate the target’s data to the C2 over HTTP/HTTPS, the malware uses RSA encryption. To hide data locally, the Trojan implements LZNT1 compression and one-byte XOR encryption.
...
Continue Reading
Find
Reply


Messages In This Thread
COMpfun authors spoof visa application with HTTP status-based Trojan - by harlan4096 - 17 May 20, 06:39

Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Version 9.6.4 for Windows
Version 9.6.4 for ...harlan4096 — 06:46
AMD confirms focus shifts to RDNA3 and R...
Goodbye Radeon RX ...harlan4096 — 06:45
F-Droid says Google's statement about "S...
A month ago, F-Dro...harlan4096 — 06:44
Google Chrome to enable HTTPS by default...
Google has announc...harlan4096 — 06:41
Revo Registry Cleaner
Revo Registry Cleane...jasonX — 01:51

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>