Kaspersky security researchers recently discovered a new malware delivery system exploiting HTTP status codes.
Reports claim that the delivery system takes advantage of the known HTTP status codes. Moreover, the hackers are using a new version of the COMpfun malware strain.
A new malware delivery system
The COMpfun malware has been in existence for a number of years. However, cybersecurity experts report a new strain that utilizes a novel delivery system.
Security researchers claim that the new malware has been infecting hosts since November 2019. The researchers added that the malware specifically targets diplomatic institutions in and around Europe.
Turla, a Russian hacking group, is the main suspect of the hack. The group engages in a number of cyber-espionage operations that attack various operating systems.
The Turla group is also known for utilizing non-standard and novel cyber-attacking methods. Their malware has been known to be innovative and stealthy.
Russian hacker group using HTTP status codes to control malware implants.
— Black Hat Ethical Hacking (@secur1ty1samyth) May 15, 2020
Telecommunication facilities are some of the common targets of Turla hackers. Among their most famous exploits include email backdoors, and modified Chrome and Firefox add-ons. The hacking group is famous for its sophisticated and novel hacking style that can evade detection.
In its recent attack, Turla is making waves in the hacking community. The hackers use old, but still reliable, delivery methods. Using a command and conquer server, the malware can serve HTTP status codes to attack its hosts.
New malware strain
Aside from utilizing an update delivery system, the hackers are also using a classic malware called COMpfun. This malware strain is a remote access trojan (RAT). Once it infiltrates its target, it can collect screenshots, system configurations, and keylogs.
The malware collects data and sends it to a remote server. COMpfun is relatively old malware. Experts discover the earliest form of the malware back in 2014. Kaspersky reports that the new strain of the malware is upgraded to exploit vulnerabilities in new machines.
What makes the new COMpfun malware effective is its delivery system. Current computing trends can detect HTTP headers and traffic that contain malicious codes. The malware from Turla bypasses these security measures by using server-client protocols that rely mostly on HTTP status codes.
HTTP status codes are standard in almost any computer system. As the name implies, these status codes usually inform the client of the status of their Internet connection.
Evidence points to a possible Russian cyber-actors. Cybersecurity experts agree that their motives include data gathering and remote monitoring.
Image courtesy of welcomia/Shutterstock