Home Malware Programs Malware KOMPROGO

KOMPROGO

Posted: June 19, 2019

KOMPROGO is a backdoor Trojan that's part of the 'in-house' kit of APT32 or OceanLotus. These threat actors gain system access to their targets through e-mail-based strategies and drop initial, recon-based Trojans before moving on to specialized ones like KOMPROGO. Users should maintain proper network security standards for averting infections and use anti-malware solutions for removing KOMPROGO on sight immediately.

Another Problem in Bloom by OceanLotus

The Vietnamese APT32 or OceanLotus group of hackers has a storied history that connects itself to various attacks throughout industries such as banking, Chinese hotel chains, and German manufacturing, among other sectors. Although it's generally not anywhere near the first stages of any attacks, KOMPROGO occupies a weighty niche in their activities: a specialized Trojan that isn't available to others on the Dark Web and provides a suite of system-controlling features. Its deployment tends to correlate with that of other threats that also are hallmarks of OceanLotus, such as the modular WINDSHIELD and the Shell Command-supporting SOUNDBITE.

Like those two Trojans, KOMPROGO is a backdoor Trojan and maintains background system persistence for giving remote attackers unrestricted control over the Windows computer. Malware experts find fewer features in KOMPROGO than in its fellows quantitatively, but those that it supports are highly-invasive:

  • KOMPROGO can collect system information for later abuse via the Windows Management Instrumentation (WMI), as well as other methods.
  • KOMPROGO includes a reverse shell for communicating back to an OceanLotus C&C for purposes such as enabling a harmful code execution.
  • Using KOMPROGO, threat actors can control memory processes, Registry settings, and files by opening, renaming, moving, deleting or editing them.
  • KOMPROGO also supports two-way file transfers for uploading or downloading files (such as collecting data, for the former, or installing more Trojans, for the latter).

Like any state-sponsored spyware tool, KOMPROGO runs with ongoing persistence on the system silently and has few to no user-observable symptoms.

Closing the Door that Vietnamese Hackers Built into Your PC

Workers and network administrators can help with preventing KOMPROGO infections by monitoring their most likely vectors, which include targeted e-mail phishing attacks. Such strategies hinge on tailoring content that's relevant to the industry of the victim or using credentials that encourage clicking on corrupted links or file attachments. OceanLotus also is known for using vulnerabilities like CVE-2016-7255, which users can block by the official Microsoft security patches.

The modus operandi for KOMPROGO's threat actors implies that the Trojan will be one of the later stages of most attacks against vulnerable Windows PCs. Users should respond to possible infection by assuming the presence of additional, supporting threats, and disable their Internet connections and isolate the computer from any local networks. Use updated and high-quality anti-malware products for uninstalling KOMPROGO, which, as a Trojan with resources equivalent to state-sponsorship, can obfuscate its presence and may evade some threat-detecting rulesets.

KOMPROGO isn't a Cobalt Strike – its capabilities are deep-cutting, but narrow, with an emphasis on letting hackers control a PC as if it was theirs. Unfortunately, anyone who's in a position for seeing KOMPROGO, other than PC security analysts, will be doing so from the point-of-view of an already-compromised victim.

Loading...