Spyware and Spoofed Visa Application

A new spying trojan has been found to target European diplomatic entities through spoofed visa applications. This spyware is built on the same codebase as COMPFun. 

What is happening

In November 2019, a new malware was detected that was found to be targeting diplomatic bodies in Europe. The initial dropper was propagated as a spoofed visa application. The spyware spreads on the user devices to accumulate and transmit data to the threat actor and is used by several APTs.  

The situation

  • The malware code is highly similar to that of COMPFun and was first reported in 2014. 
  • The functions of the trojan include gathering geolocation, network- and host-related data, screenshots, and keylogging.
  • The legitimate application is encrypted inside the dropper, along with the 32- and 64-bit next stage malware.

What the experts are saying

  • Based on victimology, the malware has been associated with the Turla APT.
  • Kaspersky stated, “The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.” 

What you can do

  • Conduct regular security checks of the company’s IT infrastructure.
  • Use robust endpoint security solutions.
  • Provide the SOC team with better Threat Intelligence. 

Worth noting

  • This full-fledged trojan is capable of spreading itself on removable devices.
  • The IOCs can be found here.
  • The COMPFun developers made their presence known twice in the last year. The first incident comprised of them bypassing TLS encrypted traffic via PRNG system functioning patching. The second incident was the implementation of C2 communications using HTTP status-based codes.

In essence

The combination of a well-planned approach to the targets and the capability to execute their plans makes the developers of the malware an extremely offensive actor.