Woburn, MA – May 14, 2020 — In November 2019, Kaspersky technologies uncovered a new malware that spreads as a spoofed visa application targeting diplomatic bodies in Europe. Among further analysis, it has been revealed that the spyware uses the same code base as the infamous COMPFun Remote Administration Tool (RAT).
Spyware focuses on propagating across a victims’ devices to collect and transmit data to the threat actor. It is widely used by various Advanced Persistent Threats (APTs) and is equally dangerous to its selected victimology: be it government or critical infrastructure, collected information can be of great value to the malware operators and bring many changes to the affected landscape.
The malware that was detected has strong code similarities with COMPFun, which was first reported in 2014, and just five years later, the industry already witnessed it successor, Reductor. The new Trojan’s functionality includes the ability to acquire the target’s geolocation, gather host and network related data, keylogging and screenshots.
According to Kaspersky experts, this is a mature Trojan that is also capable of propagating itself on removable devices. Its first stage dropper that is downloaded from the shared local area network holds the file name related to the visa application process, which corresponds with the targeted diplomatic entities. The legitimate application is kept encrypted inside the dropper, along with the 32- and 64-bit next stage malware.
Based on victimology, Kaspersky associates the original COMPfun malware with the Turla APT with medium-to-low level of confidence.
“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor,” said Kurt Baumgartner, principal security researcher at Kaspersky. “The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.”
To keep organizations protected from threats such as COMPfun, Kaspersky recommends the following measures:
- Use a proven endpoint security solution, such as Kaspersky Endpoint Security for Business with file threat protection, and always keep it up-to-date so it can detect the latest types of malware.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
- Provide your SOC team with access to the latest Threat Intelligence, to keep up-to-date with the new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
For additional details on COMPFun, please visit Securelist.