From a researcher's point of view, it's always an exciting bonus when you uncover some really new and unusual techniques in the malware you are analysing. During 2019, one of actors that gave us interesting puzzles to solve was the author of COMPFun. The malware was initially documented by G DATA
in 2014 – although G DATA
didn’t identify which actor was using the malware – and we tentatively linked it to the Turla APT, based on the victimology.
In Autumn 2019, we covered one case of custom malware designed to compromise TLS-encrypted communications used in the HTTPS protocol (https://securelist.com/compfun-successor-reductor/93633/
). Via a combination of installing digital certificates on the target’s browsers and manipulating the TLS handshake to their own schema, the malware operators were able to distinguish the target’s traffic – even after NAT routing – and decrypt it. To mark and distinguish the target’s traffic, the developers came up with their own technically ingenious mechanisms – by patching the system’s PRNG functions.
At the very end of 2019, we found another sample aimed at diplomatic entities, this time pretending to be a visa-related application on a LAN shared directory. These files with strong code similarities showed us that, with the same code base, developers can solve very different problems. This time, the code didn’t manipuate TLS traffic at all. These newer samples used rare HTTP statuses (422-429) as C2 commands, targeting beacon C2s with a specific ETag and waiting for C2 response HTTP 402 (payment required) to proceed all the commands. The authors also solved the problem of spreading the malware to attached USB devices.
The way of injecting malware into the memory of system processes is also worth a mention. Needed API functions addressed in this case were transmitted as parameters and as a result injected code by itself (i.e. dumped from memory) that could barely be analysed without this additional data. Back in 2014, COMPFun developers were creative and potent, in terms of their persistence – attributes which they still possess today.