Russian APT Turla COMpfun malware uses HTTP status codesSecurity Affairs

Russian APT Turla COMpfun malware uses HTTP status codesSecurity Affairs

The Russian affiliate cyberspace group Turla focuses on diplomatic missions in Europe with a new monitored malware called COMpfun.

Kaspersky Lab’s security experts have launched a new cyber-espionage campaign by the Russian APT Turla, which uses a new version of the COMpfun malware. The new malware allows attackers to monitor infected hosts using HTTP status code technology.

COMPFUN was first seen in the wild by G DATA investigators in 2014, Kaspersky first noticed the threat in the fall of 2019 when it was used to attack diplomatic missions across Europe.

You may remember that in the fall of 2019, we published an article on how the successor to COMpfun, called Reductor, infected files on the fly to interfere with TLS traffic. The organisers of the campaign continued to focus on the diplomatic structures, this time in Europe, and distributed the first drop in the form of a false visa application.

Since 2007, the APT Turla Group (also known as Snake, Uroburos, Water Bear, Poison Bear and KRYPTON) has been working actively with diplomatic and governmental organizations and private companies in the Middle East, Asia, Europe, North and South America and the countries of the former Soviet bloc.

The list of known victims is long and includes the Swiss defense company RUAG, the U.S. State Department and the U.S. Central Command.

In March, the APT Group used two new malware programs to attack a water point targeted at several high-level Armenian sites.

The COMpfun malware analysed by Kasperskyi implements a new method for receiving orders from C2 in the form of HTTP status codes.

COMpfun is a Remote Access Trojan (RAT) that can collect system data, record keystrokes and take screenshots.

Russian APT Turla COMpfun malware uses HTTP status codesSecurity Affairs

The new version of COMpfun malware includes two new features: the ability to check when removable USB devices are connected or disconnected from the host, and the above mentioned C2 communication technology.

The first function is implemented to have malware spread to the connected device.

The second function was implemented to avoid detection, Turla vxers introduced a new C2 protocol based on HTTP status codes.

The HTTP status codes indicate the status of the server and warn clients of actions to be taken (e.g. a connection error). COMpfun uses this mechanism to monitor a bot running on compromised systems.

We have seen an interesting C2 communication protocol that uses rare HTTP/HTTPS status codes (see IETF RFC 7231, 6585, 4918). Different HTTP status codes (422-429) of the client error class allow the Trojan to know what the operators want to do. As soon as the management server sends the Payment Required (402) status, all these previously received orders are executed.

For example, if the COMpfun server responds with a status code 402 followed by a status code 200, the malicious code sends the collected target data to C2 with the current check mark.

Below is a list of commands associated with the most common HTTP status codes:

HTTP status Meaning of IFS status Appropriate control functionality
200 OK Send the collected target data with the current tickcote to C2
402 Required payment This state is a signal to treat received (and stored in the binary flag) HTTP states as commands.
422 Unregistered entity (WebDAV) Brace yourself. Removes the persistence of COM capture and related files on disk
423 Blocked (WebDAV) Installation. Create resistance to COM hacking and throw the right files to the hard drive
424 Dependency error (WebDAV) Fingerprint target. Send data via host, network and geolocation
427 HTTP status not specified Get the new command in the IEA94E3.tmp file in %TEMP%, decrypt the attached command and enter the
428 Required Distributing to USB devices at the target
429 Too many demands. Transfer from network resources to

Malware operators continued to focus on diplomatic structures and the selection of visa related applications stored in a shared folder on the local network, as the initial infection vector worked to their advantage. The combination of an individual approach to their goals and the ability to generate and execute their ideas undoubtedly makes the developers behind COMPFun a strong offensive team.

Pierluigi Paganini

(Security issues – Turla, malware)

 

Part

 turla apt,reductor malware