The COMpfun RAT can hack your system using HTTP Status Codes
What is a RAT? RAT is known as Remote Access Trojan and is categorized for the Malware that can control target systems remotely. COMpfun is an example of a RAT, as the malware grants hacker to access the target system remotely through HTTP Status codes.
Researchers at Kaspersky discovered from the recent campaigns, the malware spread via an initial dropper that masks itself as a visa application, they also predict the attackers are from Turla APT.
The Turla APT, a Russian-based hacker group, has a long history of carrying out espionage and watering hole attacks spanning various sectors, including governments, embassies, military, education, research, and pharmaceutical companies.
In the recent campaigns, it is found that the malware was used to spy on a victim’s browser activity by staging man-in-the-middle attacks on encrypted web traffic via a tweak in the browser’s random numbers generator.
The Malware also has the capability of capturing keystrokes, screenshots, and exfiltrating sensitive data, this new variant of COMpfun monitors for any removable USB devices plugged into the infected systems to spread further and receives commands from an attacker-controlled server in the form of HTTP status codes.
We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918), Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status ‘Payment Required’ (402), all these previously received commands are executed.
the researchers said
What are HTTP Status Codes?
HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped into five classes:
- Informational responses (100–199)
- Successful responses (200–299)
- Redirects (300–399)
- Client errors (400–499)
- Server errors (500–599).
The authors keep the RSA public key and unique HTTP ETag in encrypted configuration data. Created for web content caching reasons, this marker could also be used to filter unwanted requests to the C2, e.g., those that are from network scanners rather than targets. To exfiltrate the target’s data to the C2 over HTTP/HTTPS, the malware uses RSA encryption. To hide data locally, the Trojan implements LZNT1 compression and one-byte XOR encryption.
added the researchers
While how the visa application is pushed at the target source is still unknown, after the application arrival the initial dropper, upon download, runs the next stage of malware, which communicates with the command-and-control (C2) server using an HTTP status-based module.
The malware operators retained their focus on diplomatic entities, and the choice of a visa-related application — stored on a directory shared within the local network — as the initial infection vector worked in their favor
Kaspersky researchers concluded