The Comfoo remote access Trojan (RAT), a cyber espionage campaign that targeted RSA in 2010, is alive and well going after networks across the globe.
The Advanced Persistent Threat (APT) attack gets into corporate and governmental networks across the globe, said Dell SecureWorks researchers Joe Stewart and Don Jackson in their new threat intelligence report.
APT attacks stand apart because the attackers know what to do and where to go and have access to resources and funding. As data from corporations and governments can be valuable, with the time and money to spend, hackers are able to “exercise virtually unlimited patience in penetrating and persisting inside their specific target’s network until they accomplish their goals,” according to the researchers.
A trademark of APT is the use of malware. Once the attacker gains backdoor access, he or she can patiently and persistently lurk in a network until he or she gets what they were looking for.
The Comfoo campaign is a solid APT. Comfoo has been around since at least 2006, and first came to light as part of the RSA data breach in 2010. According to the SecureWorks report, the Trojan has seen use in at least 64 targeted attacks worldwide, and there are hundreds of variants of the RAT.
To lurk within a corporate system, the Comfoo RAT often replaces the DLL path of an “existing unused service rather than installing a new service,” which system administrators are less likely to notice. A rootkit is also sometimes hides Comfoo disk files. Network traffic generated by the RAT ended up encrypted in order to securely send data back to the malware’s command and control centers.
The researchers could not see the lifted data, but they were able to plot out the network and see how Comfoo logged keystrokes, accessed and downloaded files, executed commands and was able to open command shares. A relay server, part of the C&C, is able to take control of a vulnerable network through the use of the encryption method and static encryption key hard-coded within the Comfoo binary.
While monitoring the RAT, researchers found government entities and private firms based in the U.S., Europe, and Asia Pacific often suffered infection. Japanese and Indian governmental bodies were targets, as well as educational institutions, media, telecommunications companies and energy firms.
In addition, audio and videoconferencing firms are also a frequent target. The researchers said this may be due to hackers seeking intellectual property, or the Trojan may have quietly listened in on commercial and government organizations.
Dell’s researchers did not release the names of the targeted organizations, but has informed them of the security breach. They did say there is likely to be “hundreds more unidentified victims.”