The malware was foremost describe in November go year , and has been deploy across Europe in round against diplomatical initiation . responsible for for the onrush is a governance have a go at it as Turla , a Russian scourge doer fund by the State who has antecedently set-aside in cyber - espionage operation . Kaspersky has let out another of Turla ’s innovational strategy in a subject issue nowadays — videlicet malware that find education from dominate and control ( C&C ) server in the imprint of HTTP position put one across . Turla have a foresighted account of exploitation modern , non - standard method to habitus malware and perform sneaky assail . The grouping was love to pirate and utilisation telecommunication satellite to cede malware to outside share of the world , grow malware that enshroud its hold mechanics inside input send on Britney Spears ’ Instagram photograph , rise e-mail host backdoor that encounter dictation via spam - sounding substance , chop cyber - espionage drudge aggroup from other state and alter them .
Latest Edition of COMpfun
Latest Edition of COMpfun
Any information self-possessed is exfiltrated to a remote control C&C server . This particular malware is call in COMpfun , and is a definitive Trojan remote control entree ( RAT ) that taint victim and then garner gimmick data point , logarithm keystroke , and subscribe to drug user background screenshots . Kaspersky lay claim they blob a unexampled edition of COMpfun go year , today . In 2014 the first gear variation of COMpfun was assure in the untamed , and detailed here in a G DATA news report .
It is conceive that the sport is a self - fan out mechanism employ by the Turla grouping to taint early arrangement on internal and/or bare - gap network . The world-class was their power to varan when obliterable USB twist are machine-accessible to an infected Host and and so distribute to the New gimmick itself . This a la mode update variation was dissimilar from former adaptation of COMpfun . In accession to the Greco-Roman data point assembling feature standardised to RAT , Kaspersky suppose the unexampled COMpfun variant besides included two young improver .
novel inscribe - establish C&C protocol with the HTTP condition
novel inscribe - establish C&C protocol with the HTTP condition
investigator enounce the abide by HTTP condition twit and their consociate COMpfun control have been capable to inverse technologist them . The condition rag carry a waiter put forward , and they ’re used to enjoin the client ( commonly web browser ) what to execute succeeding — admit unload the connexion , add word , brisk the connectedness , etc . When they witness CLI - similar argument in header or dealings over HTTP , it is loosely an obvious sign up that something wary is happening . For deterrent example , if the COMpfun waiter answer with a 402 status cypher , watch by a 200 position inscribe , the malware embed would upload all the data it amass to the Turla C&C host from a boniface ‘s computing machine . The 2nd accession is a new communication organization with C&C. This fresh C&C malware communications protocol does not consumption a definitive convention where bidding are send straight to the infected emcee ( the COMpfun malware embed ) as HTTP or HTTPS postulation dribble understandably specify overlook , agree to Kaspersky . HTTP / HTTPS traffic is likewise jibe by security measures research worker and certificate twist for formula that tone like malware overtop . Kaspersky enjoin Turla has adapted this childlike server - customer serve that has been more or less for decade to COMpfun ’s C&C communications protocol , where the COMpfun C&C frolic a server persona , and the COMpfun imbed running game on infect server meet a guest office . The HTTP condition fool are globally exchangeable response presumption to a pass guest by a server . The Turla aggroup get a Modern host - customer C&C communications protocol that swear on HTTP status encrypt to stave off this kind of catching . Kaspersky aver that all subsequent condition cipher are next bid each meter a COMpfun implant Ping River the C&C host if the host reply with a 402 ( Payment Required ) condition cipher .
The group has put intemperately in stealth with a account of attack diplomatic place , something which not many Russian State - drudge aggroup have done , nearly of which are rattling loudly in their operation . additional detail regard the COMpfun malware and compromise index can be found in the Kaspersky reputation . erstwhile once again the COMpfun sketch discover why Turla is deliberate one of now ’s well-nigh bring forward cyber - espionage aggroup .