In November 2019, Kaspersky technologies revealed new malware with a focus on diplomatic bodies in Europe, with the initial dropper spread as a spoofed visa application. Further analysis has indicated that this spyware uses the same code base as the infamous COMPFun.
Spyware focuses on propagating across the victims’ devices to collect and transmit data to the actor. It is widely used by various APTs and its danger is equal to the selected victimology: be it government or critical infrastructure segments, harvested information could pose a great value to the malware operators and bring many changes to the affected landscape.
The detected malware has strong code similarities with COMPFun, first reported in 2014. In 2019, the industry already witnessed it successor, Reductor. The new Trojan’s functions include the ability to acquire the target’s geolocation, gather host- and network-related data, keylogging and screenshots.
According to Kaspersky experts, this is a full-fledged Trojan that is also capable of propagating itself on removable devices. Its first stage dropper that is downloaded from the shared local area network holds the file name related to the visa application process, which corresponds with the targeted diplomatic entities. The legitimate application is kept encrypted inside the dropper, along with the 32- and 64-bit next stage malware.
Based on victimology, Kaspersky associates the original COMPfun malware with the Turla APT with medium-to-low level of confidence.
“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team,” says Kurt Baumgartner, principal security researcher at Kaspersky.
To keep organizations protected from threats such as COMPfun, Kaspersky suggests the following measures:
- Perform regular security audits of an organization’s IT infrastructure.
- Use a proven endpoint security solution, such as Kaspersky Endpoint Security for Business with file threat protection, and always keep it up-to-date so it can detect the latest types of malware.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
- Provide your SOC team with access to the latest Threat Intelligence, to keep up-to-date with the new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
Find more details on Securelist.
About KasperskyKaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
© Press Release 2020
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.
