Malware
ComeBacker
ComeBacker was found in a backdoored Visual Studio project that was used to target security researchers in Q4 2020 and early 2021.
ComeBacker is a Windows malware family operated by Lazarus Group.
Background
ComeBacker surfaced inside a backdoored Visual Studio project used to target security researchers in Q4 2020 and early 2021.
It functions as an HTTP(S) downloader.
For decrypting its configuration and for both encrypting and decrypting client-server traffic, it relies on the AES CBC cipher accessed through OpenSSL's EVP interface.
The parameter names carried in the client's HTTP POST requests are randomly generated. On the initial connection the client performs a Diffie-Hellman key agreement over the elliptic curve secp521r1: it creates a random 32-byte private key, and the server replies with its public key in a buffer that begins with the wide character "0".
The client then sends the current local time, and the server answers with a buffer holding several pipe-delimited values, typically the encrypted payload, the export to execute, and the MD5 hash of the decrypted DLL used to confirm the payload's authenticity.
Some ComeBacker variants are not statically linked against OpenSSL; in those cases the key exchange is dropped and HC-256 takes the place of AES CBC.
Source: Malpedia (Fraunhofer FKIE).