G DATA: Fresh RAT ‘COMpfun’ Employs New Persistence Mechanism

Security experts of security firm G DATA have recognized a fresh RAT (Remote Administration Tool) which uses a novel persistence mechanism which has never been used before. Security experts also analysed and found that it is known as COMpfun and named after (4char-random) value of the malware called "pfun".

The RAT supports both 64-bit and 32-bit versions of Windows up-to Windows 8 OS. The characteristics are rather indigenous for today's Spying-Gen tools known as; screenshot taking, code execution possibility, file management (upload and download), key logging and many more. RAT uses HTTPS and an asymmetric encryption (RSA) to converse back to the server of the hacker for command and control.

The highlight is the usage of persistence mechanism: RAT uses an object of working COM and enters into the processes of the hijacked machine. Moreover, it is very surprising that this compromising does not require any type of administrative privileges. Spying can be done on the compromised machine for a long time easily with this malware as this is really an advanced level of detection skirting and persistence mechanism.

Securityweek.com published news on 31st October, 2014 quoting a blog of Paul Rascagneres, a Researcher with G DATA, as "Microsoft Windows natively executes the library in the processes of the infected user as soon as the infection was done."

Many antiviruses monitor systems for DLL (Dynamic Link Library) injections but some security solutions might miss the threat as COMpfun doesn't rely on DLL injections. Rascagneres has warned that any kind of malware could leverage this technique to become silent.

COMpfun is not the only RAT abusing COM. In August 2014, G DATA detailed IcoScript which is a piece of malware leveraging COM to control Internet Explorer. Cybercriminals have been able to carry out many actions by controlling the Web browser like accessing websites, pressing buttons on pages, entering credentials and exfiltrating data.

Cybercriminals leveraged the technique to enter Yahoo Mail accounts in case of IcoScript and use them for C & C communications. Researchers observed at that time that the attackers could have used other webmail services also like Gmail.

» SPAMfighter News - 11/11/2014