Payment required: rare HTTP statuses and air-gaps avoidance from the authors of COMPFun

Wednesday 30 September 17:00 - 17:30, Red room

Denis Legezo (Kaspersky)



From a researcher's point of view, it's always an exciting bonus when you uncover some really new and unusual techniques in the malware you are analysing. During 2019, one of actors that gave us interesting puzzles to solve was the author of COMPFun. The malware was initially documented by G DATA in 2014 – although G DATA didn’t identify which actor was using the malware – and we tentatively linked it to the Turla APT, based on the victimology.

In Autumn 2019, we covered one case of custom malware designed to compromise TLS-encrypted communications used in the HTTPS protocol (https://securelist.com/compfun-successor-reductor/93633/). Via a combination of installing digital certificates on the target’s browsers and manipulating the TLS handshake to their own schema, the malware operators were able to distinguish the target’s traffic – even after NAT routing – and decrypt it. To mark and distinguish the target’s traffic, the developers came up with their own technically ingenious mechanisms – by patching the system’s PRNG functions.

At the very end of 2019, we found another sample aimed at diplomatic entities, this time pretending to be a visa-related application on a LAN shared directory. These files with strong code similarities showed us that, with the same code base, developers can solve very different problems. This time, the code didn’t manipuate TLS traffic at all. These newer samples used rare HTTP statuses (422-429) as C2 commands, targeting beacon C2s with a specific ETag and waiting for C2 response HTTP 402 (payment required) to proceed all the commands. The authors also solved the problem of spreading the malware to attached USB devices.

The way of injecting malware into the memory of system processes is also worth a mention. Needed API functions addressed in this case were transmitted as parameters and as a result injected code by itself (i.e. dumped from memory) that could barely be analysed without this additional data. Back in 2014, COMPFun developers were creative and potent, in terms of their persistence – attributes which they still possess today.

 

Denis-Legezo-web.jpg

Denis Legezo

At Kaspersky Denis Legezo works as Senior Security Researcher with the Global Research and Analysis Team (GReAT). He specializes in targeted attack research and reverse engineering for malware analysis. Denis regularly provides trainings on these matters for the company's customers. He received his degree from the cybernetics and applied mathematics facility of Moscow State University in 2002. His diploma topic was directly related to information security. Then he started his career as a programmer in different public and commercial companies. Before joining Kaspersky at the beginning of 2014, he worked as a technical expert for one of the Russian IT companies.



Back to VB2020 Programme page

Other VB2020 papers

TBA

Keynote address (TBA)

Growth and commoditization of remote access trojans

Veronica Valeros (Czech Technical University in Prague)
Sebastian García (Czech Technical University in Prague)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.