A new variant of the COMpfun Remote Access Trojan (RAT) was originally discovered by Kaspersky in late 2019 and has been upgraded with new methods of receiving commands through HTTP status codes. COMpfun still comes with all of the traditional capabilities of RAT malware, including the ability to collect keystrokes, screenshots, files and other data. Once it infects a target system, it starts collecting data and sends it back to its Command and Control server (C2). Unlike other RATs though, COMpfun has the ability to propagate to other (potentially air-gapped) devices by monitoring and infecting removable devices that are connected to the infected device. The most interesting addition is that it uses HTTP status-based communication module which allows the attackers to bypass detection by avoiding common malicious traffic patterns. When the malware sends an HTTP request to the C2 server, it includes a unique ETag (normally used for content caching purposes) to identify itself as a bot, and the C2 server responds with unusual HTTP status codes in the range 422 through 429 to indicate which commands the bot should execute. When the server responds with HTTP code 402 (Payment Required), the bot executes all of the other commands that were sent. Kaspersky stated, “The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor,” Kaspersky concludes. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.”