Researchers have uncovered a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection.
The RAT, dubbed “COMpfun,” has been analyzed by experts from G DATA Software’s SecurityLabs. When it comes to functionality, the malware is not out of the ordinary. It can be used to log keystrokes, take screenshots, download and upload files, execute code, and for other specific tasks.
The threat can run on both 32 and 64-bit versions of Microsoft Windows (up to Windows 8), and it relies on HTTPS and RSA encryption to communicate with its command and control (C&C) server.
What makes COMpfun interesting is the fact that it injects itself into the processes running on compromised systems by hijacking legitimate Component Object Model (COM) objects.
COM allows developers to manipulate and control the objects of other applications. Each of these objects has a unique identifier called CLSID.
When it’s installed on a system, the RAT creates two files, after which it creates two registry entries to define COM objects with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. These IDs are already assigned to two Microsoft libraries that are used by several applications, including the Web browser. However, by defining objects with the same CLSIDs, the originals are replaced with the new ones.
Once this is done, the malicious libraries are loaded into processes instead of the legitimate Microsoft libraries. This ensures not only that the RAT is persistent, but it also makes it more difficult to detect.
“As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns,” G DATA researcher Paul Rascagnères wrote in a blog post.
Many antiviruses monitor systems for DLL injections, but since COMpfun doesn’t rely on DLL injections, some security solutions might miss the threat. Rascagnères has warned that any type of malware could leverage this technique to become stealthy.
COMpfun is not the only RAT that abuses COM. Back in August, G DATA detailed IcoScript, a piece of malware that leveraged COM to control Internet Explorer. By taking control of the Web browser, cybercriminals have been able to carry out various actions, such as accessing websites, entering credentials, pressing buttons on pages, and exfiltrating data.
In the case of IcoScript, cybercriminals leveraged the technique to access Yahoo Mail accounts and use them for C&C communications. Researchers noted at the time that the attackers could have used other webmail services as well, such as Gmail.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
