September 27, 2020

Kaspersky found COMpfun malware targets diplomatic entities in Europe

2 min read

Security researchers from Kaspersky discovered a new version of the COMPfun malware, the malware uses a mechanism that relies on HTTP status codes to control the infected host. It is understood that the malware was first discovered in November last year and has been deployed in attacks against European diplomatic institutions.

This attack was launched by a hacker group called Turla APT. Kaspersky researchers believe that the organization is an advanced persistent threat funded by the Russian state and has been engaged in cyber espionage. Moreover, Turla has used non-standard and innovative methods to build a higher level of building malware and conducting implicit attacks.

Image: securelist

Kaspersky disclosed another new technology of Turla APT, which receives commands from a command and control (C & C) server in the form of HTTP status codes. This particular malware is called COMPfun, which is a typical remote access Trojan, which can infect the victim, then collect system data, record keystrokes and take a screenshot of the user’s desktop, and finally, all the collected data will be sent to the remote C&C server.

The first COMPfun malware attracted researchers’ attention for the first time in 2014, but Kaspersky said that they discovered a new version of COMPfun software last year. This new upgraded version is different from the old COMPfun iteration.

Kaspersky said that in addition to the classic data collection function, the new COMPfun version also includes two new features. The first is that it can monitor when a USB removable device is connected to an infected host, and then spread its information to the new device. The second is the new C & C communication system. According to Kaspersky, this new C & C malware protocol does not use the classic mode of operation. Because security researchers and security products usually scan HTTP / HTTPS traffic for similar malware command patterns. When security personnel sees CLI-like parameters in HTTP headers or traffic, it indicates that malicious behavior is occurring. To avoid this type of detection, the Turla team has developed a new server based on HTTP status codes, which is the client C & C protocol.