- Joined
- May 15, 2016
- Messages
- 14,542
- Likes
- 2,645
- Points
- 1,730
The malware monitors infected hosts using a mechanism based on HTTP status codes.
Security researchers from Kaspersky Lab have discovered a new version of COMpfun malware that monitors infected hosts using a mechanism based on HTTP status codes. The malware was first detected in November last year and was used by Turla to attack cybercriminals across Europe.
COMpfun is a remote access (RAT) Trojan that infects victims' devices, collects system data, keylogs and takes screenshots of the user's desktop. All collected data is sent to a remote C&C server. The new version of the malware is different from the old ones and, in addition to the classic data collection functions, also includes two new additions.
The first change was the ability to track the connection of removable USB devices to an infected host and then spread to a new device. Experts suggest that Turla uses this mechanism to infect physically isolated systems.
The second addition is a new communication system with a C&C server that does not use a classic template in which commands are sent directly to infected hosts in the form of HTTP or HTTPS requests that carry clearly defined commands.
To avoid detection, Turla has developed a new server-client protocol based on HTTP status codes. HTTP status codes are internationally standardized responses that the server provides to a connecting client. Status codes provide server status and are used to communicate further actions to the client, for example, reset the connection, provide credentials, update the connection, etc.
Turla adapted the basic server-client mechanism that has existed for decades to the COMpfun C & C server protocol, where COMpfun implants on infected hosts play the role of clients.
__________________
Security researchers from Kaspersky Lab have discovered a new version of COMpfun malware that monitors infected hosts using a mechanism based on HTTP status codes. The malware was first detected in November last year and was used by Turla to attack cybercriminals across Europe.
COMpfun is a remote access (RAT) Trojan that infects victims' devices, collects system data, keylogs and takes screenshots of the user's desktop. All collected data is sent to a remote C&C server. The new version of the malware is different from the old ones and, in addition to the classic data collection functions, also includes two new additions.
The first change was the ability to track the connection of removable USB devices to an infected host and then spread to a new device. Experts suggest that Turla uses this mechanism to infect physically isolated systems.
The second addition is a new communication system with a C&C server that does not use a classic template in which commands are sent directly to infected hosts in the form of HTTP or HTTPS requests that carry clearly defined commands.
To avoid detection, Turla has developed a new server-client protocol based on HTTP status codes. HTTP status codes are internationally standardized responses that the server provides to a connecting client. Status codes provide server status and are used to communicate further actions to the client, for example, reset the connection, provide credentials, update the connection, etc.
Turla adapted the basic server-client mechanism that has existed for decades to the COMpfun C & C server protocol, where COMpfun implants on infected hosts play the role of clients.
__________________