Posted on May 15, 2020 at 10:06 AM

Russian Hacking Group Control Malware Implants Using HTTP Status Codes

Kaspersky security researchers have discovered a new version of the COMpfun malware which uses HTTP status codes to control infected hosts.

The malware was initially discovered in November last year and has been seen attacking diplomatic entities throughout Europe.

The researchers have also uncovered the group responsible for the attack. The hacking syndicate, known as Turla, is a state-backed Russian threat actor that has been involved in cyber espionage operations for many years.

The hacking group uses unconventional methods to attack victims.

Turla has always used innovative and non-standard methods to create malware and perform stealthy attacks. That’s the reason why it has evaded the sight of security researchers for long.

The group has been seen hijacking and using telecommunications satellites to send malware to remote areas in the world. Currently, it has created malware that can hide its control mechanism inside comments posted on the Instagram photos of Britney Spears.

The group has also been modifying Firefox and Chrome extensions, hacking other state-backed hacking syndicates, developing email server backdoors, and using spam-looking messages to receive commands.

Kaspersky’s security team also said Turla is using another method to infect systems. The malware takes commands from the command and control servers through the HTTP status code.

Group has released a new malware version

The group has released another malware version known as COMpfun, which is a remote access Trojan. It is used to infect victims, log keystrokes, collect system data, and take screenshots of the user’s desktop. The collected data is sent to the remote C & C server.

The first version of this COMpfun malware was spotted in 2014, with details about its activities provided by Kaspersky.

However, the new version is quite different from the initial classic version. Apart from the RAT-like collection feature, the security firm said the new COMpfun version also has new additional features.

One of the new additions is the ability to observe when USB removable devices are plugged into an infected host. The Turla hacking group uses the new feature as a self-spreading instrument to infect other networks on air-gapped or internal networks.

The other addition is the new C & C code, and Kaspersky researchers said the second code does not utilize a classic pattern where instructions are delivered directly to the infected host.

Researchers usually scan HTTPS/HTTP traffic for patterns resembling malware commands. When the researchers utilize CLI-like measures in the traffic or headers, it’s always an indication that malicious activity is taking place.

Hackers usually set a motion in place to avoid such detection. In the case of the Turla group, they established a new server-client C & C mechanism that depends on the HTTP status code.

These status codes are standardized responses a server sends to a connecting system. The code provides details about the server and is utilized to inform the client’s browser the next action to take. The action could include refreshing the connection, providing credentials, or dropping the connection.

Kaspersky revealed that Turla used the basic server-client protocol that has been operating for several years to the C & C protocol of the COMpfun malware. Now, the COMpfun C & C is playing the role of a server, while the COMPfun implants activated in the infected host is playing the role of the client.

COMPfun group considered a complex state-backed hacking group        

According to Kaspersky, whenever a COMPfun implant communicates the C & C server, and the server replies with a 402 status code, the following status codes will become future commands.

For instance, if the COMPfun server followed a 402 response with a 200 status code, the implant normally uploads the entre data it has received from the host’s system to the Turla C & C server.

Kaspersky security researcher pointed out that it has reversed-engineered the subsequent HTTP status commands. codes and their linking COMPfun.

But this recent sophisticated activity from COMPfun shows once again why Turla is seen as one of the most complex cyber-espionage syndicates today.

The heavy investment in stealth by the group has shown they are willing to go the extra mile, even beyond what many Russian state-backed hacking groups have achieved.