Kaspersky researchers uncovered a new cyber espionage operation with a focus on diplomatic bodies in Europe that uses spoofed visa applications to deliver a new malware trojan.

The new malware is built from the same code base as the stealthy COMPFun remote access trojan (RAT) and may be the work of the Turla APT, a group that has a long history of using innovative methods to build malware and launch stealthy attacks.

According to a new report, the fake visa application contain a first-stage dropper that downloads the main payload on a infected host. This payload logs the target’s location, gathers host- and network-related data, records keystrokes, and takes screenshots. The malware also monitors USB devices using them as a way to spread further and receives commands from the command-and-control (C2) server in the form of HTTP status codes.

“We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918). Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status “Payment Required” (402), all these previously received commands are executed,” the researchers said.

“All the necessary function addresses resolve dynamically to complicate analysis. To exfiltrate the target’s data to the C2 over HTTP/HTTPS, the malware uses RSA encryption. To hide data locally, the Trojan implements LZNT1 compression and one-byte XOR encryption.”

The COMpfun malware was first spotted in 2014; five years later Kaspersky researchers discovered a new COMpfun version (aka Reductor), which was capable of infecting files on the fly to compromise TLS traffic.

While the researchers have not been able to find out how exactly the malicious code is being delivered to a target, they said that the first-stage dropper is downloaded from a shared directory; it has a file name related to the visa application process that “perfectly corresponds with the targeted diplomatic entities.”

The dropper dynamically resolves all the required Windows API function addresses and puts them into structures. It then decrypts the next stage malware from its resource (.rsrc) section.

The malicious application comes masqueraded as a Portable Executable (PE) file, a .DOC or a .PDF file. The dropper urges users to run the file as administrator and if the user accepts, it then installs the version of the trojan that corresponds to the host’s architecture (either a Windows 32- and 64-bit version).

“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team,” the researchers concluded.