New spying Trojan is targeting diplomatic entities in Europe via spoofed visa applications

  • In November last year, Kaspersky discovered a new malware that was attacking diplomatic bodies across Europe through spoofed visa applications.

The spyware, Reductor, focuses on propagating across the victims’ devices to collect and transmit data to the bad actor. It was widely used by various APTs and the danger it posed was equal to all victims, be it the government or critical infrastructure segments.
The spyware, Reductor, focuses on propagating across the victims’ devices to collect and transmit data to the bad actor. It was widely used by various APTs and the danger it posed was equal to all victims, be it the government or critical infrastructure segments. (Pixabay)

In November last year, Kaspersky had discovered a new malware that was attacking diplomatic bodies across Europe through spoofed visa applications. Further analysis revealed that this spyware, Reductor, had the same code base as the infamous COMPFun.

The spyware focused on propagating across the victims’ devices to collect and transmit data to the bad actor. It was widely used by various APTs and the danger it posed was equal to all victims, be it the government or critical infrastructure segments. The harvested information was of significant value to malware operators.

Reductor has strong code similarities with COMPFun that was first reported in 2014. Reductor’s functions include the ability to acquire the target’s geolocation, gather host and network-related data, keylogging and screenshots.

According to cybersecurity experts at Kaspersky, Reductor is a full-fledged Trojan that is also capable of propagating itself on removable devices. Its first-stage dropper that is downloaded from the shared local area network holds the file name related to the visa application process, which corresponds with the targeted diplomatic entities. The legitimate application is kept encrypted inside the dropper, along with the 32- and 64-bit next stage malware.

Based on victimology, Kaspersky associates the original COMPfun malware with the Turla APT with medium-to-low level of confidence.

“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team,” says Kurt Baumgartner, principal security researcher at Kaspersky.

To keep organisations protected from threats such as COMPfun, here are precautions that you can take:

- Perform regular security audits of an organisation’s IT infrastructure.

- Use a proven endpoint security solution with file threat protection, and always keep it up-to-date so it can detect the latest types of malware.

- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions

- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage.

- Provide your SOC team with access to the latest threat intelligence, to keep up-to-date with the new and emerging tools, techniques and tactics used by threat actors and cybercriminals.