Security experts from Kaspersky Lab have uncovered a new cyberespionage campaign carried out by Russia-linked APT Turla that employs a new version of the COMpfun malware. The new malware allows attackers to control infected hosts using a technique that relies on HTTP status codes.
COMpfun was first spotted in the wild in 2014 by G DATA researchers, Kaspersky first observed the threat in autumn 2019 when it was employed in attacks against diplomatic entities across Europe.
“You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic.” reads the analysis published by Kaspersky. “The campaign operators retained their focus on diplomatic entities, this time in Europe, and spread the initial dropper as a spoofed visa application.”
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
In March the APT group employed two new pieces of malware in watering hole attacks targeting several high-profile Armenian websites.
The COMpfun malware analyzed by Kaspersky implements a new technique to receive commands from the C2 as HTTP status codes.
COMpfun is a remote access trojan (RAT) that could collect system data, logs keystrokes, and takes screenshots.
The new variant of the COMpfun malware includes two new features, the ability to monitor when USB removable devices plugged into or unplugged from the host, and the mentioned C2 communication technique.
The first feature was implemented to allow the malware propagating itself to the connected device.
The second feature was implemented to avoid detection, Turla vxers implemented new C2 protocol that relies on HTTP status codes.
HTTP status codes provide a state of the server and instruct clients on action to do (i.e. drop the connection), COMpfun exploited this mechanism to control the bot running on the compromised systems.
“We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918). Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status “Payment Required” (402), all these previously received commands are executed.” continues the analysis.
For example, if the COMpfun server would respond with a 402 status code, followed by a 200 status code, the malicious code sends collected target data to C2 with the current tickcount.
Below the list of commands associated with common HTTP status codes:
|HTTP status||RFC status meaning||Corresponding command functionality|
|200||OK||Send collected target data to C2 with current tickcount|
|402||Payment Required||This status is the signal to process received (and stored in binary flag) HTTP statuses as commands|
|422||Unprocessable Entity (WebDAV)||Uninstall. Delete COM-hijacking persistence and corresponding files on disk|
|423||Locked (WebDAV)||Install. Create COM-hijacking persistence and drop corresponding files to disk|
|424||Failed Dependency (WebDAV)||Fingerprint target. Send host, network and geolocation data|
|427||Undefined HTTP status||Get new command into IEA94E3.tmp file in %TEMP%, decrypt and execute appended command|
|428||Precondition Required||Propagate self to USB devices on target|
|429||Too Many Requests||Enumerate network resources on target|
“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.” concludes Kaspersky.
(SecurityAffairs – Turla, malware)