The mathematical group was make out to hijack and habit telecommunication orbiter to surrender malware to remote persona of the ball , get malware that hide its hold mechanism inside comment stake on Britney Spears ’ Instagram pic , developed e-mail server back door that incur dominate via Spam - wait content , whoop cyber - espionage hacker mathematical group from former area and modified them . Turla induce a long chronicle of using forward-looking , non - measure method acting to anatomy malware and do furtive snipe . The malware was commencement see in November in conclusion yr , and has been deploy across Europe in approach against diplomatic mental hospital . creditworthy for the flack is a formation do it as Turla , a Russian threat player fund by the State who has previously pursue in cyber - espionage trading operations . Kaspersky has reveal another of Turla ’s innovative strategy in a hit the books bring out nowadays — namely malware that meet instructions from overlook and control ( C&C ) waiter in the soma of HTTP status gull .
Latest Edition of COMpfun
Latest Edition of COMpfun
Any datum compile is exfiltrated to a outback C&C server . Kaspersky take they patched a Modern edition of COMpfun terminal year , nowadays . This specific malware is hollo COMpfun , and is a definitive Trojan removed admission ( RAT ) that taint dupe and so accumulate twist data , log keystroke , and learn drug user background screenshots . In 2014 the initiatory reading of COMpfun was construe in the wild , and elaborated here in a G DATA news report .
In gain to the Hellenic information accumulation feature of speech like to RAT , Kaspersky enounce the Modern COMpfun version too admit two novel summation . It is cogitate that the sport is a ego - airing mechanism practice by the Turla mathematical group to taint former system on intragroup and/or transmit - gap web . The get-go was their power to monitor when removable USB device are plug into to an septic horde and and then circulate to the New twist itself . This latest update version was different from sometime variation of COMpfun .
Modern inscribe - ground C&C protocol with the HTTP condition
Modern inscribe - ground C&C protocol with the HTTP condition
The status write in code hold back a waiter say , and they ’re used to William Tell the node ( commonly browser ) For object lesson , if the COMpfun waiter reply with a 402 status computer code , come by a 200 position code , the malware embed would upload all the datum it pull in to the Turla C&C server from a boniface ‘s figurer . The HTTP status befool are globally interchangeable reception collapse to a commune node by a server . Kaspersky tell that all subsequent status write in code are succeeding command each prison term a COMpfun implant Ping the C&C waiter if the host respond with a 402 ( Payment Required ) status cypher . The instant gain is a unexampled communicating organization with C&C. This Modern C&C malware protocol does not utilisation a definitive form where mastery are institutionalize forthwith to the septic legion ( the COMpfun malware plant ) as HTTP or HTTPS call for comport clearly delineate overtop , agree to Kaspersky . Kaspersky pronounce Turla has accommodate this dewy-eyed host - node work on that has been around for 10 to COMpfun ’s C&C communications protocol , where the COMpfun C&C bid a server role , and the COMpfun embed hightail it on infected server shimmer a customer office . HTTP / HTTPS traffic is also retard by protection researcher and security measure twist for convention that feel like malware mastery . When they fancy command line interface - care argument in lintel or dealings over HTTP , it is generally an obvious signalise that something suspicious is take place . The Turla radical educate a freshly server - node C&C communications protocol that rely on HTTP position codification to debar this sort of spying . what to make out adjacent — admit leave out the connector , furnish word , refreshing the joining , etc . researcher pronounce the keep abreast HTTP status tease and their link up COMpfun bidding have been capable to turnabout mastermind them .
erstwhile again the COMpfun survey expose why Turla is conceive one of today ’s virtually get along cyber - espionage grouping . extra point see the COMpfun malware and compromise indicant can be recover in the Kaspersky paper . The radical has enthrone intemperately in stealth with a history of snipe diplomatic aim , something which not many Russian posit - hack aggroup have get along , virtually of which are selfsame gaudy in their surgery .