Últimas notícias

Fique informado

HTTP Status Codes Command This Malware How to Control Hacked Systems

15 de maio de 2020


Comitê Gestor da ICP-Brasil aprova emissão primária por videoconferência

A aprovação cria o amparo jurídico necessário para a edição da Instrução Normativa que regulamentará e viabilizará o processo operacional da emissão primária de Certificados Digitais através de videoconferência.

22 de janeiro de 2021

Veja o que diz Miguel Martins da AET Europe sobre gerenciamento de eIDS

Como traçar a estratégia de IAM para sua organização? Confira o que diz a AET Europe, líder global em gerenciamento de identidades.

19 de janeiro de 2021

Reconhecimento facial sem prova de vida está com os dias contados, afirma CEO de uma das principais plataformas brasileiras de biometria facial

Conversamos com José Luis Volpini, CEO da CredDefense, uma das pioneiras e mais conceituadas plataformas de biometria facial do mercado brasileiro.

6 de janeiro de 2021

Carimbo do Tempo dá início ao fim da era dos protocolos proprietários na ICP-Brasil. Ouça

Segundo Dr. Roberto Gallo, o fim da era dos protocolos proprietários na ICP-Brasil tem data marcada e deve beneficiar fabricantes, prestadores de serviços e clientes finais.

28 de dezembro de 2020

Blockchain and Decentralized Identity: How Transparency Can Improve Identity Verification for Banks

When re-framing decentralized identity problem from one that banks must solve individually, to one that banks can solve collectively.

27 de abril de 2020

A new version of COMpfun remote access trojan (RAT) has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe

The cyberespionage malware—traced to Turla APT with “medium-to-low level of confidence” based on the history of compromised victims—spread via an initial dropper that masks itself as a visa application, the Global Research and Analysis Team at Kaspersky discovered.

The Turla APT, a Russian-based threat group, has a long history of carrying out espionage and watering hole attacks spanning various sectors, including governments, embassies, military, education, research, and pharmaceutical companies.

First documented by G-Data in 2014, COMpfun received a significant upgrade last year (called “Reductor”) after Kaspersky found that the malware was used to spy on a victim’s browser activity by staging man-in-the-middle (MitM) attacks on encrypted web traffic via a tweak in the browser’s random numbers generator (PRNG).

In addition to functioning as a fully-featured RAT capable of capturing keystrokes, screenshots, and exfiltrating sensitive data, this new variant of COMpfun monitors for any removable USB devices plugged to the infected systems to spread further and receives commands from an attacker-controlled server in the form of HTTP status codes.

“We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918),” the researchers said. “Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status ‘Payment Required’ (402), all these previously received commands are executed.”

HTTP status codes are standardized responses issued by a server in response to a client’s request made to the server. By issuing remote commands in the form of status codes, the idea is to obfuscate any detection of malicious activity while scanning internet traffic.

“The authors keep the RSA public key and unique HTTP ETag in encrypted configuration data. Created for web content caching reasons, this marker could also be used to filter unwanted requests to the C2, e.g., those that are from network scanners rather than targets.”

“To exfiltrate the target’s data to the C2 over HTTP/HTTPS, the malware uses RSA encryption. To hide data locally, the Trojan implements LZNT1 compression and one-byte XOR encryption.”

While the exact modus operandi behind how the malicious visa application is delivered to a target remains unclear, the initial dropper, upon download, runs the next stage of malware, which communicates with the command-and-control (C2) server using an HTTP status-based module.

“The malware operators retained their focus on diplomatic entities, and the choice of a visa-related application — stored on a directory shared within the local network — as the initial infection vector worked in their favor,” Kaspersky researchers concluded.

The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMpfun a strong offensive team.

Source: The Hacker News

Why Businesses Need an SDP during the Coronavirus Crisis

14 Tech Pros Predict The Next Big Thing In Cybersecurity And Encryption

NIST – Blockchain Identity Management Systems – Draft White Paper

Keep up with Crypto ID, we have everything thing you need in our international section!

  Explore other articles! ] i