Comnie is a custom malware family that has been active since at least April 2013, first identified by Sophos. This malicious software is used in targeted attacks and is notable for its unique method of obtaining command and control (C2) information through online blogs and third-party services. The malware infiltrates systems primarily via malicious macros with varying file names and decoy subject matters. It was observed that the same malicious macros were employed to deliver Comnie to targets in Taiwan as early as 2015.
The Comnie malware gained prominence due to its targeted attacks on organizations in the East Asia region, particularly South Korea and Taiwan. These attacks have been closely monitored by Unit 42, who noted the use of a remote backdoor malware family named Comnie. Comparisons between the macro code extracted from Comnie dropper and a financial institution's penetration test sample indicate sophisticated techniques used by the attackers. They leverage malicious macros to initially hide decoy documents, which are only revealed when the victim enables macros.
Comnie also exhibits advanced functionality, allowing the attacker to provide and execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL). In its initial stages, Comnie sends specific requests and attempts to connect to an IP address using specified ports. Interestingly, Comnie uses GitHub to store its C2 information, demonstrating its ability to leverage popular platforms for malicious purposes.