Researchers reveal details of active 'Comfoo' cyberespionage campaign

The trojan used in the RSA breach of 2010 is still active and targeting corporate and government targets worldwide; over 200 variants of 'Comfoo' recently discovered by researchers.
Written by Charlie Osborne, Contributing Writer

A cyberespionage campaign which targeted the RSA in 2010 is still active and targeting networks worldwide.

Dell SecureWorks researchers Joe Stewart and Don Jackson have released a new threat intelligence report documenting the "Comfoo" remote access trojan (RAT) -- malware used to infiltrate corporate and governmental networks across the globe.

The so-called Advanced Persistent Threat (APT) attack is simply one of many that organizations are scrambling to defend against as cyberthreats become more sophisticated, and in some cases, state-sponsored.

Corporations and governments rely heavily upon digital networks to store valuable data. Bank accounts, national security data, trade secrets and confidential governmental programs are only some targets which can be lucrative for a hacker to acquire -- whether for personal gain or on a competitor's orders. As a result, the cybercrime market is booming -- and we often see reports of household name businesses and agencies gaining cybercriminal attention.

APT attacks stand apart from garden variety script-kiddies or low-profile fraudulent schemes. Those behind APT attacks are often well-trained and have access to resources and funding. As data from corporations and governments can be so valuable, with the time and money to spend, hackers are able to "exercise virtually unlimited patience in penetrating and persisting inside their specific target's network until they accomplish their goals," according to the researchers.

A trademark of APT attacks is the use of malware. Once backdoor access has been granted through the use of malicious code, hackers can patiently and persistently lurk in a network until the targeted information can be stolen.

The Comfoo trojan campaign is a prime example of an advanced persistent threat. Comfoo has been in operation since at least 2006, and first came to light as part of the RSA data breach in 2010. According to the report, the trojan has been used in at least 64 targeted attacks worldwide, and there are hundreds of variants of the RAT.

To lurk within a corporate system, the Comfoo RAT often replaces the DLL path of an "existing unused service rather than installing a new service," -- which is less likely to be noticed by system administrators. A rootkit is also sometimes used to hide Comfoo disk files. Network traffic generated by the RAT is encrypted in order to securely send data back to the malware's command and control centers.

The researchers could not see the data that was lifted, but were able to plot out the network and see how Comfoo logged keystrokes, accessed and downloaded files, executed commands and was able to open command shares. A relay server -- part of the C&C -- is able to take control of a vulnerable network through the use of the encryption method and static encryption key hard-coded within the Comfoo binary.

Screen Shot 2013-08-02 at 10.58.03

While monitoring the RAT, researchers found that government entities and private firms based in the U.S., Europe, and Asia Pacific were often infected. Many Japanese and Indian governmental bodies were targeted, as well as educational institutions, media, telecommunications companies and energy firms.

Screen Shot 2013-08-02 at 10.58.27

Interestingly, audio and videoconferencing firms are also a frequent target. The researchers speculate that this may be due to hackers seeking intellectual property, or the trojan may have been used to quietly listen-in on commercial and government organizations.

Dell's researchers have not revealed the identity of targeted organizations, but has informed them of the security breach. However, they also caution that there is likely to be "hundreds more unidentified victims" due to the amount of variants found and the time the cyberespionage campaign has been in operation. 

Read the full report.

Editorial standards