Comfoo – the APT RAT that Ratted on RSA

Comfoo has been used in at least 64 different campaigns, including the RSA SecurID breach in 2010
Comfoo has been used in at least 64 different campaigns, including the RSA SecurID breach in 2010

Dell SecureWorks Counter Threat Unit (CTU) has now published details of its recent research into Comfoo. It's not a well-known trojan because it is a typical advanced persistent threat (APT): sparsely used in a targeted fashion, and with extensive evasion techniques built-in. Anti-virus software does not have a good record against Comfoo – attackers seem to check for the victim's AV and then tweak the trojan to beat that particular defense.

The main capabilities of the malware are system and network information gathering; keystroke logging; screen capture; file uploading, downloading and execution; and a command shell.

The trojan itself has not been entirely unknown to researchers – Trend Micro mentioned it in a paper published in 2012. CTU, however, analyzed the malware to find its command-and-control server; that is, the destination for stolen data. What it found was a 'rendezvous server' – a device used to hide the location of the malware master.

Under this process, the infected victim computer would send stolen data to the rendezvous server. The hacker/s would simply connect to this server and collect the data, without the rendezvous server ever knowing where the hackers are located. While this device protects the location of the hackers, it also provides CTU with a way to learn more about the malware and its campaigns.

"Researchers can passively monitor victims’ logins to the relay servers (sending no commands) by connecting to the correct port on the correct IP address at the right time. This technique is analogous to viewing webserver log data stored in a publicly accessible directory on a C2 server," explained the CTU researchers.

CTU found and started monitoring dozens of these relay servers, starting around January 2012. "While monitoring Comfoo, CTU researchers detected more than 200 variants of the trojan and 64 different campaign tags used by the threat actors to organize their campaigns. Numerous government entities and private companies based in the United States, Europe, and Asia Pacific had Comfoo-infected computers phoning home to the Comfoo C2 infrastructure."

Comfoo activity with the monitored relay servers has now tailed off, leaving CTU to publish its findings without fear of tipping off the hackers. It has notified all known victims and law enforcement. However, warned the researchers, "Based on the number of campaign tags observed in malware samples versus those seen in live monitoring by the CTU research team, there are likely hundreds more unidentified victims."

What’s Hot on Infosecurity Magazine?