Russian hacker group using HTTP status codes to control malware implants
Security researchers from Kaspersky have identified a new version of the COMpfun malware that controls infected hosts using a mechanism that relies on HTTP status codes.
The malware has been first spotted last year, in November, and has been deployed in attacks against diplomatic entities across Europe.
Responsible for the attacks is a group known as Turla, a state-sponsored Russian threat actor that has historically engaged in cyber-espionage operations.
Turla has a long history of using non-standard and innovative methods to build malware and carry out stealthy attacks.
The group has been known to hijack and use telecommunications satellites to deliver malware to remote areas of the globe, has developed malware that hid its control mechanism inside comments posted on Britney Spears’ Instagram photos, has developed email server backdoors that received commands via spam-looking messages, has hacked other countries’ cyber-espionage hacker groups, and has been modifying Chrome and Firefox installations on victim devices in order to hide a small fingerprint in HTTPS traffic that they later use to track the victim’s traffic across the internet backbone.
In a report published today, Kaspersky has revealed another of Turla’s novel techniques — namely malware that receives instructions from command and control (C&C) servers in the form of HTTP status codes.
NEW COMPFUN VERSION
This particular malware is named COMpfun, and is a classic remote access trojan (RAT) that infects victims and then collects system data, logs keystrokes, and takes screenshots of the user’s desktop. All collected data is exfiltrated to a remote C&C server.
The first COMpfun version was seen in the wild in 2014, and detailed in a G DATA report here. Today, Kaspersky says that they spotted a new COMpfun version last year.
This new upgraded version was different from the older COMpfun iterations. Besides the classic RAT-like data collection features, Kaspersky says the new COMpfun version also included two new additions.
The first was its ability to monitor when USB removable devices are connected to an infected host, and then propagate itself to the new device. The feature is believed to be a self-spreading mechanism used by the Turla group to infect other systems on internal and/or air-gapped networks.
NEW HTTP STATUS CODE-BASED C&C PROTOCOL
The second addition is a new C&C communications system. According to Kaspersky, this new C&C malware protocol doesn’t use a classic pattern where commands are sent directly to the infected hosts (the COMpfun malware implants) as HTTP or HTTPS requests carrying clearly-defined commands.
Security researchers and security products often scan HTTP/HTTPS traffic for patterns that look like malware commands. When they see CLI-like parameters in HTTP headers or traffic, it’s usually an obvious sign there’s something malicious going on.
To avoid this type of detection, the Turla group developed a new server-client C&C protocol that relies on HTTP status codes.
HTTP status codes are internationally-standardized responses that a server provides to a connecting client. The status codes provide a state of the server, and they’re used to tell the client (usually browsers) what to do next — such as drop the connection, provide credentials, refresh the connection, and so on.
Kaspersky says Turla adapted this basic server-client mechanism that’s been around for decades to COMpfun’s C&C protocol, where the COMpfun C&C plays the role of a server, and the COMpfun implants running on infected hosts play the role of clients.
Kaspersky says that every time a COMpfun implant pings the C&C server if the server responds with a 402 (Payment Required) status code, all subsequent status codes are future commands.
For example, if the COMpfun server would respond with a 402 status code, followed by a 200 status code, the malware implant would upload all the data it collected from a host’s computer to the Turla C&C server.
Researchers say they’ve been able to reverse engineer the following HTTP status codes and their associated COMpfun commands.
The COMpfun report shows once again why Turla is considered one of the most sophisticated cyber-espionage group today.
With a history of targeting diplomatic targets, the group has invested heavily in stealth, something that not many Russian state-hacker groups have done, most of which are very noisy in their operations.
Additional details about the COMpfun malware and indicators of compromise are available in the Kaspersky report.