A new variant of the COMpfun Remote Access Trojan (RAT) was originally discovered by Kaspersky in late 2019 and has been upgraded with new methods of receiving commands through HTTP status codes. COMpfun still comes with all of the traditional capabilities of RAT malware, including the ability to collect keystrokes, screenshots, files and other data. Once it infects a target system, it starts collecting data and sends it back to its Command and Control server (C2). Unlike other RATs though, COMpfun has the ability to propagate to other (potentially air-gapped) devices by monitoring and infecting removable devices that are connected to the infected device. The most interesting addition is that it uses HTTP status-based communication module which allows the attackers to bypass detection by avoiding common malicious traffic patterns. When the malware sends an HTTP request to the C2 server, it includes a unique ETag (normally used for content caching purposes) to identify itself as a bot, and the C2 server responds with unusual HTTP status codes in the range 422 through 429 to indicate which commands the bot should execute. When the server responds with HTTP code 402 (Payment Required), the bot executes all of the other commands that were sent. Kaspersky stated, “The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor,” Kaspersky concludes. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.”
Security teams should monitor and log all web requests by forcing connections to go through a web proxy server. That will give defenders the opportunity to search for unusual patterns of HTTP status codes and further investigate to discover if the status codes are being used for covert malware communication. To protect from RATs, the same procedures that are used to prevent general malware applies. Anti-virus software should be kept up-to-date and programs or files from emails that come from an untrusted source should not be downloaded. At an administrative level, unused ports should be blocked, turn off unused services, and monitor all outgoing traffic. An endpoint monitoring service can help to defend from malicious programs by detecting threats before they can do damage. The Binary Defense Security Operations Center monitors and defends endpoints 24-hours a day to help secure networks.
The unique ETag used by the malware is: C8E9CEAD2E084F58A94AEDC14D423E1A
Malware C2 servers:
To read more: https://securelist.com/compfun-http-status-based-trojan/96874/