Payment required: rare HTTP statuses and air-gaps avoidance from the authors of COMPFun

Denis Legezo (Kaspersky)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

From a researcher's point of view, it's always an exciting bonus when you uncover some really new and unusual techniques in the malware you are analysing. During 2019, one of actors that gave us interesting puzzles to solve was the author of COMPFun. The malware was initially documented by G DATA in 2014 – although G DATA didn’t identify which actor was using the malware – and we tentatively linked it to the Turla APT, based on the victimology.

In Autumn 2019, we covered one case of custom malware designed to compromise TLS-encrypted communications used in the HTTPS protocol (https://securelist.com/compfun-successor-reductor/93633/). Via a combination of installing digital certificates on the target’s browsers and manipulating the TLS handshake to their own schema, the malware operators were able to distinguish the target’s traffic – even after NAT routing – and decrypt it. To mark and distinguish the target’s traffic, the developers came up with their own technically ingenious mechanisms – by patching the system’s PRNG functions.

At the very end of 2019, we found another sample aimed at diplomatic entities, this time pretending to be a visa-related application on a LAN shared directory. These files with strong code similarities showed us that, with the same code base, developers can solve very different problems. This time, the code didn’t manipuate TLS traffic at all. These newer samples used rare HTTP statuses (422-429) as C2 commands, targeting beacon C2s with a specific ETag and waiting for C2 response HTTP 402 (payment required) to proceed all the commands. The authors also solved the problem of spreading the malware to attached USB devices.

The way of injecting malware into the memory of system processes is also worth a mention. Needed API functions addressed in this case were transmitted as parameters and as a result injected code by itself (i.e. dumped from memory) that could barely be analysed without this additional data. Back in 2014, COMPFun developers were creative and potent, in terms of their persistence – attributes which they still possess today.
Denis Legezo
Kaspersky At Kaspersky Denis Legezo works as Senior Security Researcher with the Global Research and Analysis Team (GReAT). He specializes in targeted attack research and reverse engineering for malware analysis. Denis regularly provides trainings on these matters for the company's customers. He received his degree from the cybernetics and applied mathematics facility of Moscow State University in 2002. His diploma topic was directly related to information security. Then he started his career as a programmer in different public and commercial companies. Before joining Kaspersky at the beginning of 2014, he worked as a technical expert for one of the Russian IT companies.
arrow left Back

Payment required: rare HTTP statuses and air-gaps avoidance from the authors of COMPFun

Denis Legezo (Kaspersky)
From a researcher's point of view, it's always an exciting bonus when you uncover some really new and unusual techniques in the malware you are analysing. During 2019, one of actors that gave us interesting puzzles to solve was the author of COMPFun. The malware was initially documented by G DATA in 2014 – although G DATA didn’t identify which actor was using the malware – and we tentatively linked it to the Turla APT, based on the victimology.

In Autumn 2019, we covered one case of custom malware designed to compromise TLS-encrypted communications used in the HTTPS protocol (https://securelist.com/compfun-successor-reductor/93633/). Via a combination of installing digital certificates on the target’s browsers and manipulating the TLS handshake to their own schema, the malware operators were able to distinguish the target’s traffic – even after NAT routing – and decrypt it. To mark and distinguish the target’s traffic, the developers came up with their own technically ingenious mechanisms – by patching the system’s PRNG functions.

At the very end of 2019, we found another sample aimed at diplomatic entities, this time pretending to be a visa-related application on a LAN shared directory. These files with strong code similarities showed us that, with the same code base, developers can solve very different problems. This time, the code didn’t manipuate TLS traffic at all. These newer samples used rare HTTP statuses (422-429) as C2 commands, targeting beacon C2s with a specific ETag and waiting for C2 response HTTP 402 (payment required) to proceed all the commands. The authors also solved the problem of spreading the malware to attached USB devices.

The way of injecting malware into the memory of system processes is also worth a mention. Needed API functions addressed in this case were transmitted as parameters and as a result injected code by itself (i.e. dumped from memory) that could barely be analysed without this additional data. Back in 2014, COMPFun developers were creative and potent, in terms of their persistence – attributes which they still possess today.
Denis Legezo
Kaspersky At Kaspersky Denis Legezo works as Senior Security Researcher with the Global Research and Analysis Team (GReAT). He specializes in targeted attack research and reverse engineering for malware analysis. Denis regularly provides trainings on these matters for the company's customers. He received his degree from the cybernetics and applied mathematics facility of Moscow State University in 2002. His diploma topic was directly related to information security. Then he started his career as a programmer in different public and commercial companies. Before joining Kaspersky at the beginning of 2014, he worked as a technical expert for one of the Russian IT companies.