Russian hacker group use HTTP status codes to control malware implants

May 14, 2020

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Security researchers from Kaspersky have identified a new version of the COMpfun malware that controls infected hosts using a mechanism that relies on HTTP status codes.

The malware has been first spotted last year, in November, and has been deployed in attacks against diplomatic entities across Europe.

Responsible for the attacks is a group known as Turla, a state-sponsored Russian threat actor that has historically engaged in cyber-espionage operations.

Turla has a long history of using non-standard and innovative methods to build malware and carry out stealthy attacks.

The group has been known to hijack and use telecommunications satellites to deliver malware to remote areas of the globe, has developed malware that hid its control mechanism inside comments posted on Britney Spears’ Instagram photos, has developed email server backdoors that received commands via spam-looking messages, has hacked other countries’ cyber-espionage hacker groups, and has been modifying Chrome and Firefox installations on victim devices in order to hide a small fingerprint in HTTPS traffic that they later use to track the victim’s traffic across the internet backbone.

In a report published today, Kaspersky has revealed another of Turla’s novel techniques — namely malware that receives instructions from command and control (CC) servers in the form of HTTP status codes.

New COMpfun version

This particular malware is named COMpfun, and is a classic remote access trojan (RAT) that infects victims and then collects system data, logs keystrokes, and takes screenshots of the user’s desktop. All collected data is exfiltrated to a remote CC server.

The first COMpfun version was seen in the wild in 2014, and detailed in a G DATA report here. Today, Kaspersky says that they spotted a new COMpfun version last year.

This new upgraded version was different from the older COMpfun iterations. Besides the classic RAT-like data collection features, Kaspersky says the new COMpfun version also included two new additions.

The first was its ability to monitor when USB removable devices are connected to an infected host, and then propagate itself to the new device. The feature is believed to be a self-spreading mechanism used by the Turla group to infect other systems on internal and/or air-gapped networks.

New HTTP status code-based CC protocol

The second addition is a new CC communications system. According to Kaspersky, this new CC malware protocol doesn’t use a classic pattern where commands are sent directly to the infected hosts (the COMpfun malware implants) as HTTP or HTTPS requests carrying clearly-defined commands.

Security researchers and security products often scan HTTP/HTTPS traffic for patterns that look like malware commands. When they see CLI-like parameters in HTTP headers or traffic, it’s usually an obvious sign there’s something malicious going on.

To avoid this type of detection, the Turla group developed a new server-client CC protocol that relies on HTTP status codes.

HTTP status codes are internationally-standardized responses that a server provides to a connecting client. The status codes provide a state of the server, and they’re used to tell the client (usually browsers) what to do next — such as drop the connection, provide credentials, refresh the connection, and so on.

Kaspersky says Turla adapted this basic server-client mechanism that’s been around for decades to COMpfun’s CC protocol, where the COMpfun CC plays the role of a server, and the COMpfun implants running on infected hosts play the role of clients.

Kaspersky says that every time a COMpfun implant pings the CC server if the server responds with a 402 (Payment Required) status code, all subsequent status codes are future commands.

For example, if the COMpfun server would respond with a 402 status code, followed by a 200 status code, the malware implant would upload all the data it collected from a host’s computer to the Turla CC server.

Researchers say they’ve been able to reverse engineer the following HTTP status codes and their associated COMpfun commands.

The COMpfun report shows once again why Turla is considered one of the most sophisticated cyber-espionage group today.

With a history of targeting diplomatic targets, the group has invested heavily in stealth, something that not many Russian state-hacker groups have done, most of which are very noisy in their operations.

Additional details about the COMpfun malware and indicators of compromise are available in the Kaspersky report.