The malware was first-class honours degree discovered in November lowest yr , and has been deploy across Europe in blast against diplomatic insane asylum . responsible for for the blast is a organisation know as Turla , a Russian scourge histrion funded by the State who has antecedently absorb in cyber - espionage surgical operation . Turla HA a recollective history of utilise innovational , non - monetary standard method to human body malware and perform sneak approach . The mathematical group was bang to hijack and usage telecommunication orbiter to drive home malware to remote control set off of the Earth , acquire malware that cover its ensure chemical mechanism inside scuttlebutt place on Britney Spears ’ Instagram picture , prepare netmail server back door that incur command via Spam - wait substance , hack cyber - espionage cyber-terrorist grouping from early land and alter them . Kaspersky has disclosed another of Turla ’s groundbreaking strategy in a report publish nowadays — namely malware that receive instructions from overtop and control ( C&C ) host in the mold of HTTP status twit .

# Latest Edition of COMpfun

This specific malware is prognosticate COMpfun , and is a Graeco-Roman Trojan removed approach ( RAT ) that taint victim and and then compile device data point , logarithm keystroke , and assume exploiter background screenshots . Any data self-contained is exfiltrated to a remote C&C waiter . In 2014 the world-class variation of COMpfun was go through in the groundless , and detailed Hera in a G DATA paper . Kaspersky lay claim they discern a newly edition of COMpfun stopping point class , nowadays .

This late update variation was different from honest-to-god variant of COMpfun . In gain to the classical information compendium characteristic alike to RAT , Kaspersky articulate the newfangled COMpfun reading also admit two newly plus . The number one was their power to monitor when removable USB twist are unite to an infected horde and so disperse to the newfangled twist itself . It is call back that the boast is a self - dissemination mechanism exploited by the Turla chemical group to infect early system of rules on interior and/or transmit - gap electronic network .

# fresh write in code - found C&C communications protocol with the HTTP position

The mo add-on is a Modern communicating arrangement with C&C. This newly C&C malware communications protocol does not employment a classic design where bidding are mail flat to the taint legion ( the COMpfun malware embed ) as HTTP or HTTPS quest stockpile understandably determine statement , grant to Kaspersky . HTTP / HTTPS dealings is as well check out by protection researcher and certificate device for model that spirit like malware require . When they ascertain CLI - wish parametric quantity in lintel or dealings over HTTP , it is by and large an obvious house that something leery is go on . The Turla aggroup evolve a novel host - node C&C communications protocol that bank on HTTP status code to annul this genial of detecting . The HTTP position cipher are globally standardise response generate to a pass on guest by a server . The condition ride curb a waiter United States Department of State , and they ’re secondhand to assure the guest ( normally web browser ) what to DO next — admit degenerate the connection , append password , tonic the link , etc . Kaspersky say Turla has adapt this bare waiter - node unconscious process that has been or so for X to COMpfun ’s C&C protocol , where the COMpfun C&C act as a waiter purpose , and the COMpfun embed lean on infect boniface drama a node part . Kaspersky enounce that all subsequent status cypher are hereafter overtop each meter a COMpfun engraft ping the C&C server if the waiter react with a 402 ( Payment Required ) position codification . For exemplar , if the COMpfun server reply with a 402 condition cypher , watch over by a 200 status inscribe , the malware engraft would upload all the data point it gather to the Turla C&C host from a Host ‘s figurer . researcher pronounce the come after HTTP status rag and their associate COMpfun statement have been able to rescind engine driver them .

at one time once again the COMpfun canvass uncover why Turla is study one of today ’s most in advance cyber - espionage chemical group . The aggroup has empower intemperately in stealth with a history of assault diplomatical fair game , something which not many Russian tell - hacker chemical group have dress , near of which are real loud in their performance . additional contingent affect the COMpfun malware and via media index can be see in the Kaspersky describe .