ComeBacker
Intelligence Profile
ComeBacker was found in a backdoored Visual Studio project that was used to target security researchers in Q4 2020 and early 2021.
It is an HTTP(S) downloader.
It uses the AES CBC cipher implemented through the OpenSSL's EVP interface for decryption of its configuration, and also for encryption and decryption of the client-server communication.
The parameter names in HTTP POST requests of the client are generated randomly. As the initial connection, the client exchanges the keys with the server via the Diffie–Hellman key agreement protocol for the elliptic curve secp521r1. The client generates a random 32-bytes long private key, and the server responds with its public key in a buffer starting with the wide character "0".
Next, the clients sends the current local time, and the server responds with a buffer containing multiple values separated with the pipe symbol. The typical values are the encrypted payload, the export to execute, and the MD5 hash of the decrypted DLL to verify the authenticity of the payload.
There are variants of ComeBacker without statically linked OpenSSL. In that case, the key exchange is omitted and AES CBC is replaced with HC-256.
Threat Analysis
ComeBacker is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.