Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New RAT Hijacks COM Objects for Persistence, Stealthiness

Researchers have uncovered a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection.

Researchers have uncovered a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection.

The RAT, dubbed “COMpfun,” has been analyzed by experts from G DATA Software’s SecurityLabs. When it comes to functionality, the malware is not out of the ordinary. It can be used to log keystrokes, take screenshots, download and upload files, execute code, and for other specific tasks.

The threat can run on both 32 and 64-bit versions of Microsoft Windows (up to Windows 8), and it relies on HTTPS and RSA encryption to communicate with its command and control (C&C) server.

What makes COMpfun interesting is the fact that it injects itself into the processes running on compromised systems by hijacking legitimate Component Object Model (COM) objects.

COM allows developers to manipulate and control the objects of other applications. Each of these objects has a unique identifier called CLSID.

When it’s installed on a system, the RAT creates two files, after which it creates two registry entries to define COM objects with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. These IDs are already assigned to two Microsoft libraries that are used by several applications, including the Web browser. However, by defining objects with the same CLSIDs, the originals are replaced with the new ones.

Once this is done, the malicious libraries are loaded into processes instead of the legitimate Microsoft libraries. This ensures not only that the RAT is persistent, but it also makes it more difficult to detect.

“As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns,” G DATA researcher Paul Rascagnères wrote in a blog post.

Advertisement. Scroll to continue reading.

 

Many antiviruses monitor systems for DLL injections, but since COMpfun doesn’t rely on DLL injections, some security solutions might miss the threat. Rascagnères has warned that any type of malware could leverage this technique to become stealthy.

COMpfun is not the only RAT that abuses COM. Back in August, G DATA detailed IcoScript, a piece of malware that leveraged COM to control Internet Explorer. By taking control of the Web browser, cybercriminals have been able to carry out various actions, such as accessing websites, entering credentials, pressing buttons on pages, and exfiltrating data.

In the case of IcoScript, cybercriminals leveraged the technique to access Yahoo Mail accounts and use them for C&C communications. Researchers noted at the time that the attackers could have used other webmail services as well, such as Gmail.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

Network security policy management firm FireMon has appointed Alex Bender as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.