New RAT Hijacks COM Objects for Persistence, Stealthiness

Researchers have uncovered a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection.

The RAT, dubbed “COMpfun,” has been analyzed by experts from G DATA Software’s SecurityLabs. When it comes to functionality, the malware is not out of the ordinary. It can be used to log keystrokes, take screenshots, download and upload files, execute code, and for other specific tasks.

The threat can run on both 32 and 64-bit versions of Microsoft Windows (up to Windows 8), and it relies on HTTPS and RSA encryption to communicate with its command and control (C&C) server.

What makes COMpfun interesting is the fact that it injects itself into the processes running on compromised systems by hijacking legitimate Component Object Model (COM) objects.

COM allows developers to manipulate and control the objects of other applications. Each of these objects has a unique identifier called CLSID.

When it’s installed on a system, the RAT creates two files, after which it creates two registry entries to define COM objects with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. These IDs are already assigned to two Microsoft libraries that are used by several applications, including the Web browser. However, by defining objects with the same CLSIDs, the originals are replaced with the new ones.

Once this is done, the malicious libraries are loaded into processes instead of the legitimate Microsoft libraries. This ensures not only that the RAT is persistent, but it also makes it more difficult to detect.

“As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns,” G DATA researcher Paul Rascagnères wrote in a blog post.

Many antiviruses monitor systems for DLL injections, but since COMpfun doesn’t rely on DLL injections, some security solutions might miss the threat. Rascagnères has warned that any type of malware could leverage this technique to become stealthy.

COMpfun is not the only RAT that abuses COM. Back in August, G DATA detailed IcoScript, a piece of malware that leveraged COM to control Internet Explorer. By taking control of the Web browser, cybercriminals have been able to carry out various actions, such as accessing websites, entering credentials, pressing buttons on pages, and exfiltrating data.

In the case of IcoScript, cybercriminals leveraged the technique to access Yahoo Mail accounts and use them for C&C communications. Researchers noted at the time that the attackers could have used other webmail services as well, such as Gmail.