The new version of the Remote Access Trojan (RAT) COMpfun, which is managed by HTTP codes with an unusual status, has been used in attacks on European diplomatic institutions.
This malware was first detected and analyzed by G-Data in 2014. Another Trojan with strong code similarities, capable of executing man-in-the-middle (MitM) attacks on encrypted data traffic, was discovered in 2019 by Kaspersky, later named Reductor.
Although G-Data COMpfun has not been attributed to any particular malware author, Kaspers associates it with Turla APT with a medium to low level of trust based on the victims targeted by the operators.
Trojan Update for remote access
A new version of COMpfun malware was discovered by Kaspersky in November 2019 and has all the features of RAT malware.
Once the target system is infected, it starts collecting information for its hosts, packages it and sends it to its command and control (C2) servers.
COMpfun collects geolocation and system data, records window heads and all hacked system keyboard entries, and takes screenshots to capture sensitive information on the victim’s screen.
CompuNInfection circuit CompuNec circuit (Kaspersky)
However, unlike other TARs, this model can be extended to other (possibly airborne) devices by checking and infecting all removable devices connected to compromised equipment.
If initialization is successful, the malware launches another thread to send Windows messages and searches for removable devices linked to the WM_DEVICECHANGE event, Kaspersky explains.
The module starts its own drivers in case the USB device is connected or disconnected from the host.
Trojan horse capacities (Kaspersky)
Malicious software controlled by HTTP status codes
The most interesting addition to this new version of COMpfun is the HTTP state-based communication module, which allows malware operators to bypass detection by avoiding known malicious traffic patterns.
We’ve seen an interesting C2 communication protocol that uses rare HTTP/HTTPS status codes (see IETF RFC 7231, 6585, 4918), Dr. Kaspersky said.
Depending on the HTTP status code received from systems infected with COMpfun malware, attackers may ask to filter all data collected on a C2 server, obtain persistence, fingerprint hosts, list network resources, distribute to USB drives, etc.
A full list of the codes used to check compromised systems, their RFC status value and the corresponding control functionality is given in the table below.
HTTP status codes used to manage infected hosts (Kaspersky)
According to Kaspersky, the malware operators continued to focus on diplomatic structures and the selection of visa applications stored in a shared folder on the local network because the original infection vector worked to their advantage.
The combination of an individual approach to their goals and the ability to generate and execute their ideas undoubtedly makes the developers behind COMPFun a strong offensive team.
For more information on the internal functioning of the RAT COMPFUN and the Compromise Performance Indicators (IOC), see Kaspersky’s full report on the new open version.