A fresh malware trojan has emerged, built from the same code base as the stealthy COMPFun remote access trojan (RAT). The malware is using spoofed visa applications to hit diplomatic targets in Europe and may be the work of the Turla APT.
According to researchers at Kaspersky, the fake visa application harbors code that acts as a first-stage dropper. That dropper in turn fetches the main payload, which logs the target’s location, gathers host- and network-related data, performs keylogging and takes screenshots. It also monitors USB devices and can infect them in order to spread further, and it receives commands from the command-and-control (C2) server in the form of HTTP status codes.
“In other words, it’s a normal full-fledged trojan that is also capable of propagating itself to removable devices,” researchers wrote in a Thursday analysis. “As in previous malware from the same authors…to exfiltrate the target’s data to the C2 over HTTP/HTTPS, the malware uses RSA encryption. To hide data locally, the trojan implements LZNT1 compression and one-byte XOR encryption.”
As for that “previous malware,” the code base for the new RAT is similar to a COMPFun successor known as Reductor, which Kaspersky observed last year infecting files on the fly to compromise TLS traffic. The firm attributes the new RAT to the same threat actor – which is perhaps the Turla APT.
“Based mostly on victimology, we were able to associate it with the Turla APT with medium-to-low level of confidence,” Kaspersky added.
First Stage
In the new attacks seen, it’s unclear how the malware is making it to target desktops. What is known is that the first-stage dropper is downloaded from a shared directory; it has a file name related to the visa application process that “perfectly corresponds with the targeted diplomatic entities,” according to Kaspersky.
“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor,” the researchers explained.
The dropper then decrypts the next stage malware from its resource (.rsrc) section using a one-byte XOR algorithm and the key ‘0x55,’ followed by LZNT1 decompression.
The trojan application comes disguised as a Portable Executable (PE) file (though it can also show up as a .DOC or a .PDF file). The dropper displays a message for users that it needs to run the file as administrator; if the user accepts, it then installs the version of the trojan that corresponds to the host’s architecture (either a Windows 32- and 64-bit version).
The Main Module
The primary payload is an HTTP status-based trojan named “ExplorerFrame.dll.mui.” Kaspersky pointed out that there is a legitimate ExplorerFrame.dll.mui on Windows systems, which is a language resource for the ExplorerFrame.dll file used by Windows Explorer.
The module first obtains the processor architecture (32- or 64-bit) and Windows OS version, according to the analysis. It includes a number of sandbox checks and takes note of whether security products are running on the host (Symantec, Kaspersky, Dr.Web or Avast).
The last step in the initialization procedure is to decrypt and decompress the configuration file. From the configuration, the malware parses the RSA public key, ETag and IP addresses to communicate with its C2. Before every communication with the C2, the malware checks if software such as debuggers or monitors are running.
“The implementation of ETags means the C2 may ignore all requests that are not sent from its intended targets if they don’t have the required ETag value,” according to the researchers.
The main thread also checks if the C2 supports TLS in its configuration. If it does, communication will be over HTTPS and port 443; otherwise, the HTTP protocol and port 80 are used.
Most interestingly to Kaspersky analysts, the malware communicates with its C2 using rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918).
“Several HTTP status codes (422-429) from the Client Error class let the trojan know what the operators want to do,” they explained. “After the control server sends the status ‘Payment Required’ (402), all these previously received commands are executed.”
After initialization, the module checks for processes that it can inject itself into, and chooses one in order of decreasing priority, Kaspersky noted. It starts with Windows (cmd.exe, smss.exe), moves on to security-related applications (Symantec’s nis.exe, Dr.Web’s spideragent.exe) and ends with browsers (IE, Opera, Firefox, Yandex browser and Chrome).
“In the case of PaymentRequired, this could be system, security product or browser processes,” according to Kaspersky. “Then the malware forms the corresponding code to drop files, delete files, etc.”
Commands from the C2 include orders to the malware to: Send collected target data to C2; uninstall and delete COM-hijacking persistence and corresponding files on disk; install and create COM-hijacking persistence and drop corresponding files to disk; fingerprint target with host, network and geolocation data; get new commands; propagate self to USB devices on target; and enumerate network resources on target.
“The user’s activity is monitored using several hooks,” according to the analysis. “All of them gather the target’s data independently of any C2 command. Keystrokes are encrypted using the RSA public key stored in the configuration data and sent once every two seconds, or when more than 512 bytes are recorded. These 512 characters also include left mouse button clicks (written as the ‘MSLBTN’ string) and Windows title bar texts. For clipboard content, the module calculates an MD5 hash and if it changes, encrypts the clipboard content with the same RSA public key and then sends it.”
The COMPFun developers responsible for the new trojan have clearly innovated, according to the security firm, including “the unique implementation of C2 communications using uncommon HTTP status codes.”
“The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team,” the researchers concluded.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.