Russian hacker group use HTTP status codes to control malware implants

[silversurfer]

Content source

https://www.zdnet.com/article/russian-hacker-group-use-http-status-codes-to-control-malware-implants/

Security researchers from Kaspersky have identified a new version of the COMpfun malware that controls infected hosts using a mechanism that relies on HTTP status codes.

The malware has been first spotted last year, in November, and has been deployed in attacks against diplomatic entities across Europe.

Responsible for the attacks is a group known as Turla, a state-sponsored Russian threat actor that has historically engaged in cyber-espionage operations.

In a report published today, Kaspersky has revealed another of Turla's novel techniques -- namely malware that receives instructions from command and control (C&C) servers in the form of HTTP status codes.

This particular malware is named COMpfun, and is a classic remote access trojan (RAT) that infects victims and then collects system data, logs keystrokes, and takes screenshots of the user's desktop. All collected data is exfiltrated to a remote C&C server.

The first COMpfun version was seen in the wild in 2014, and detailed in a G DATA report here. Today, Kaspersky says that they spotted a new COMpfun version last year.

Full report by Kaspersky:

COMpfun authors spoof visa application with HTTP status-based Trojan

In autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic. Later in November 2019 we revealed a new Trojan using the same code base as COMPFun.

securelist.com