chg: [tool] COMPfun - Reductor added

Ref: https://securelist.com/compfun-successor-reductor/93633/
This commit is contained in:
Alexandre Dulaunoy 2019-10-03 14:25:44 +02:00
parent 3e12089450
commit 9e82b025b5
Signed by: adulau
GPG key ID: 09E2CD4944E6CBCD

View file

@ -7823,7 +7823,28 @@
}, },
"uuid": "ae82a19e-2334-4e72-b55c-79b4ba4f137f", "uuid": "ae82a19e-2334-4e72-b55c-79b4ba4f137f",
"value": "TVSPY" "value": "TVSPY"
},
{
"value": "COMpfun",
"uuid": "b2c2d42b-a6a3-4ab0-a013-eb1c7461aca9",
"description": "The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didnt identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus.",
"meta": {
"refs": [
"https://securelist.com/compfun-successor-reductor/93633/",
"https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence"
]
}
},
{
"value": "Reductor",
"uuid": "a577bb0d-9732-449a-80f7-5e6c93e6046c",
"description": "We called these new modules Reductor after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductors authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, were quite sure the new malware was developed by the COMPfun authors.",
"meta": {
"refs": [
"https://securelist.com/compfun-successor-reductor/93633/"
]
}
} }
], ],
"version": 124 "version": 125
} }