A new version of the COMpfun malware was identified by the security researchers at Kaspersky which controls infected hosts using a mechanism that depends on HTTP status codes.
The malware was first found last year and it was used in attacks against diplomatic entities across Europe.
State-sponsored Russian attackers known as Turla who were engaged in cyber-espionage operations earlier are behind those attacks.
Turla is known for using several non-standard and innovative methods to build malware and carry out stealthy attacks.
They hijacked and use telecommunications satellites to deliver malware to remote areas, has developed malware that hid its control mechanism inside comments posted on Britney Spears’ Instagram photos, has developed email server backdoors that received commands via spam-looking messages, has hacked other countries’ cyber-espionage hacker groups, and modified Chrome and Firefox installations on victim devices to hide a small fingerprint in HTTPS traffic which can be used later to track the victim’s traffic across the internet backbone.
Kaspersky has now revealed another surprising technique of the group which includes malware that receives instructions from command and control (C&C) servers in the form of HTTP status codes.
This malware is called COMpfun, and is a classic remote access trojan (RAT) that infects victims and then collects system data, logs keystrokes, and takes screenshots of the user’s desktop. All the data is then exfiltrated to a remote C&C server.
The first version of COMpfun was found in 2014 and a new COMpfun version was spotted by Kaspersky last year.
This malware is a new upgraded version of the older COMpfun iterations and it has two new features included, besides the classic RAT-like data collection features.
The first feature includes the ability to monitor when USB removable devices are connected to an infected host, and then propagate itself to the new device. It is considered as a self-spreading mechanism used by the Turla group to infect other systems on internal and/or air-gapped networks.
The second feature is a new C&C communications system which does not use a typical pattern where commands are sent directly to the infected hosts (the COMpfun malware implants) as HTTP or HTTPS requests carrying clearly-defined commands.
Security researchers and security products frequently scan HTTP/HTTPS traffic for patterns that look like malware commands. When CLI-like parameters in HTTP headers or traffic are found, it indicates that it is malicious.
The Turla group developed a new server-client C&C protocol that relies on HTTP status codes in order to avoid being detected.
HTTP status codes are internationally-standardized responses which is provided by a server provides to a connecting client. The status codes provide a state of the server which tells the client what to do next — such as drop the connection, provide credentials, refresh the connection etc.
Turla modified this basic server-client mechanism to COMpfun’s C&C protocol, where the COMpfun C&C acts as a server, and the COMpfun implants running on infected hosts acts as clients.
According to the researchers, whenever a COMpfun implant pings the C&C server and if the server responds with a 402 (Payment Required) status code, all subsequent status codes are future commands.
Example, if the COMpfun server responds with a 402-status code, followed by a 200-status code, the malware implant would upload all the data it collected from a host’s computer to the Turla C&C server.
The researchers managed to reverse engineer the HTTP status codes and their associated COMpfun commands.
Turla is considered as one of the most sophisticated cyber-espionage group today and they have invested heavily in stealth which is not usually done by many Russian state-hacker groups.