Remote access trojan attacks using remote control via HTTP status codes

May 20, 2020
http status code attack rat remote access trojan

Here is a brief background about a malware called COMpfun. The malware is one of those traditional RAT or Remote Access Trojan that works by infecting its target victims device – collecting system information, keystroke logging, recording snapshots of user’s desktops, among other stuff. All these acquired information uses a remotely located C&C server to transport the data to the threat actor.

The very first recorded iteration of this malware was seen in operation last 2014. However, a newly modified and upgraded version was seen in the previous year, according to several security researchers and firms. Upon closer investigation and observation, the new version of the malware was found to be quite different from the original. Aside from the original RAT (Remote Access Trojan) traits, it possessed years ago; this new malware got additional features to boot.

Before we get to that, last year’s incident where the malware was detected, which was around November, the researchers have observed several simultaneous attacks targeting government and other diplomatic agencies all over Europe.

Analyzing the trend and methods used, we found out through a factual investigation that the group who initiated the attacks was a Russian-state sponsored hacking group known as – Turla. The group is known for other sanctioned attacks that are mostly engaged in illegal operations, or more specifically, cyber-espionage.

They are most notable for building and modifying malware for purposes of performing stealthy cyber-attacks.

The attacks of Turla are properly coordinated, and they can take-over and utilize telecom satellites to deliver malware payloads in almost any area on the globe. They can conceal their control mechanisms on several layers of code, establish backdoors over email servers that are equipped and ready to receive remote commands. They can even modify browser installation packages to suit their infiltration requirements.

The two (2) new abilities of the said malware are:

  1. Detect any removable USB storage devices and use it to copy itself and independently propagate to a new device using that. It acts as some sort of self-spreading apparatus used to infect other systems within or even outside the network.
  2. Unlike its traditional C&C protocols, HTTP or HTTPS traffic requests are carrying commands with specific instructions on what to do next. These status codes provide server status and information, and all the acquired data is encrypted and sent to their remote servers.

Their sophisticated approach and their ability to stay under the radar is what makes them very formidable. One can say, even more dangerous, due to the fact that their main targets are mostly government agencies and diplomatic firms. Needless to say, agencies such as those of the military, pharma companies, and other countries’ embassies are all at risk of being targeted by these malicious hackers.

About the author

Leave a Reply