{
	"id": "8d0cd407-f380-46ae-9eac-556f222c649e",
	"created_at": "2026-04-06T00:15:33.880499Z",
	"updated_at": "2026-04-10T03:21:24.380116Z",
	"deleted_at": null,
	"sha1_hash": "dfe74345d54a2b3824bdf3eeb2dbb6660fa95271",
	"title": "COM Object hijacking: the discreet way of persistence",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 184398,
	"plain_text": "COM Object hijacking: the discreet way of persistence\r\nBy Paul Rascagneres\r\nPublished: 2016-11-25 · Archived: 2026-04-05 17:27:44 UTC\r\n10/30/2014\r\nReading time: 3 min (695 words)\r\nG DATA SecurityLabs experts discovered a new Remote Administration Tool, which we dubbed COMpfun. This\r\nRAT supports 32-bit and 64-bit Windows versions, up to the Windows 8 operating system. The features are rather\r\ncommon for today’s espionage tools: file management (download and upload), screenshot taking, Keylogger\r\nfunctionality, code execution possibility and more. It uses the HTTPS and an asymmetric encryption (RSA) to\r\ncommunicate with the command and control server. The big novelty is the persistence mechanism: the malware\r\nhijacks a legitimate COM object in order to be injected into the processes of the compromised system. And it is\r\nremarkable, that this hijacking action does not need administrator rights. With this RAT, Attackers could spy on an\r\ninfected system for quite a long time, as this detection evasion and persistence mechanism is indeed pretty\r\nadvanced!\r\nWhat is a COM object?\r\nCOM (Component Object Model) is described by Microsoft as “platform-independent, distributed, object-oriented\r\nsystem for creating binary software components that can interact”. The purpose of this technology is to provide an\r\ninterface to allow developers to control and manipulate objects of other applications. We already spoke about this\r\ntechnology in the IcoScript case. Each COM object is defined by a unique ID called CLSID. For example the\r\nCLSID to create an instance of Internet Explorer is {0002DF01-0000-0000-C000-000000000046}.\r\nCOM object hijacking analysis\r\nDuring the installation phase, the malware drops two files into the directory:\r\n%APPDATA%\\Roaming\\Microsoft\\Installer\\{BCDE0395-E52F-467C-8E3D-C4579291692E}\\\r\nThe file names are created using the following scheme: api-ms-win-downlevel-[4char-random]-l1-1-0._dl\r\nOne file is the 32-bit version of the malware and the second one is the 64-bit version.\r\nThe second step: the creation of two registry entries:\r\nHKCU\\Software\\Classes\\CLSID\\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\\InprocServer32\r\nHKCU\\Software\\Classes\\Wow6432Node\\CLSID\\{BCDE0395-E52F-467C-8E3D-C4579291692E\r\n}\\InprocServer32\r\nhttps://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence\r\nPage 1 of 4\n\nFor each entry, the default value is the path to the files that were dropped before. In the following screenshot, the\r\nfile containing rhwm is the 64-bit version of the malware and the file containing dtjb was created for the 32-bit\r\nversion, respectively. \r\nThe purpose of the keys is to define a COM object with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\r\nand {BCDE0395-E52F-467C-8E3D-C4579291692E}. If these objects are instanced, the library will be loaded\r\ninto the respective process. But the CLSIDs are predefined by Microsoft and the newly created owns replace the\r\noriginals:\r\n{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}: the CLSID of the class CAccPropServicesClass.\r\n{BCDE0395-E52F-467C-8E3D-C4579291692E}: it’s the CLSID of the class MMDeviceEnumerator.\r\nThese two instances are used by a lot of applications, for example by the browser (by using the\r\nCoCreateInstance() function). With Process Explorer, we are able to list the library loaded into a specific process.\r\nHere are the loaded libraries designed for a 32-bit process:\r\nThe following screenshot shows the loaded libraries in a 64-bit process:\r\nhttps://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence\r\nPage 2 of 4\n\nIn both of these cases, we can see our dropped library. The processes use the registry key previously created to\r\nload the malicious library instead of the original Microsoft library\r\nConclusion\r\nThis new approach of persistence mechanism has several advantages: the attacker does not need to perform DLL\r\ninjection, which is usually monitored by anti-virus software. Therefore, he has overcome one important security\r\nmeasure, in most of the cases.\r\nAs soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of\r\nthe infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly\r\nsilent. It is not even detected by Sysinternals’ Autoruns.\r\nSo, in our case, we have seen this mechanism being used combined with a RAT and this would mean a hassle for\r\nany infected and therefore affected user, as the attackers can spy on him pretty secretly for quite some time. But,\r\nobviously, this new persistence mechanism is not limited to the use of RATs. Attackers can combine it with any\r\nother type of malware, too!\r\nG DATA customers are protected: the latest scan engines detect the analyzed samples (see below). Furthermore,\r\nour behavior blocker technology identifies this threat and blocks it.\r\nIOC\r\nRegistry\r\nhttps://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence\r\nPage 3 of 4\n\nHKCU\\Software\\Classes\\CLSID\\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\\\r\nHKCU\\Software\\Classes\\Wow6432Node\\CLSID\\{BCDE0395-E52F-467C-8E3D-C4579291692E }\r\nFiles\r\n%APPDATA%\\Roaming\\Microsoft\\Installer\\{BCDE0395-E52F-467C-8E3D-C4579291692E}\\\r\nThe file names are created using the following scheme: api-ms-win-downlevel-[4char-random]-l1-1-0._dl\r\nMD5\r\n482a70b7f29361665c80089fbf49b41f\r\n(Trojan.Generic.11683196; Win32.Trojan.COMpfun.B)\r\n88fc61bcd28a9a0dc167bc78ba969fce\r\n(Trojan.Generic.11671459; Win32.Trojan.COMpfun.A)\r\n11f814e7fb9616f46c6e4b72e1cf39f6\r\n(Gen:Trojan.Heur2.LP.dq8@aKnXWtic; Win32.Trojan.COMpfun.C)\r\n671d230ae8874bb89db7099d1c8945e0\r\n(Win64.Trojan.COMpfun.C)\r\n----------------------------------\r\nSide note:\r\nYou are maybe wondering about the malware signature name containing “fun”. During our analysis, the [4char-random] value of the malware name was “pfun” and… yeah, we thought that this was ‘fun’ny, indeed ;-)\r\nShare Article\r\nSource: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence\r\nhttps://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence"
	],
	"report_names": [
		"23941-com-object-hijacking-the-discreet-way-of-persistence"
	],
	"threat_actors": [],
	"ts_created_at": 1775434533,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dfe74345d54a2b3824bdf3eeb2dbb6660fa95271.pdf",
		"text": "https://archive.orkl.eu/dfe74345d54a2b3824bdf3eeb2dbb6660fa95271.txt",
		"img": "https://archive.orkl.eu/dfe74345d54a2b3824bdf3eeb2dbb6660fa95271.jpg"
	}
}