Innovative Spy Trojan Targets European Diplomatic Targets

2020-05-14 20:59

A fresh malware trojan has emerged, built from the same code base as the stealthy COMPFun remote access trojan.

The malware is using spoofed visa applications to hit diplomatic targets in Europe and may be the work of the Turla APT. According to researchers at Kaspersky, the fake visa application harbors code that acts as a first-stage dropper.

"As in previous malware from the same authorsto exfiltrate the target's data to the C2 over HTTP/HTTPS, the malware uses RSA encryption. To hide data locally, the trojan implements LZNT1 compression and one-byte XOR encryption."

"The malware operators retained their focus on diplomatic entities and the choice of a visa-related application - stored on a directory shared within the local network - as the initial infection vector worked in their favor," the researchers explained.

Commands from the C2 include orders to the malware to: Send collected target data to C2; uninstall and delete COM-hijacking persistence and corresponding files on disk; install and create COM-hijacking persistence and drop corresponding files to disk; fingerprint target with host, network and geolocation data; get new commands; propagate self to USB devices on target; and enumerate network resources on target.

News URL

https://threatpost.com/innovative-spy-trojan-european-diplomatic-targets/155763/

#european #SPY #trojan