Posted on July 13, 2021 at 9:19 AM
Researchers from Trend Micro have discovered a new malware called BIOPASS, which abuses the Open Broadcaster Software (OBS) Studio to sniff the victim’s screen.
The malware was deployed in watering hole attacks and disguised as a genuine installer, deceiving users in the process. They sometimes disguise as Microsoft Silverlight installer or Adobe Flash Player installer.
The malware delivers popular RAT features
The researchers analyzed the loader and discovered that it loads either the new python backdoor or Cobalt Strike shellcode tracked by the researchers as BIOPASS RAT.
The malware delivers common RAT features such as shell command execution, file exfiltration, remote desktop access, and file system assessment.
The malware is also capable of stealing private information from instant messaging clients and web browsers from the victim’s device.
It makes use of the streaming capabilities of OBS studio’s Real-Time Messaging Protocol (RTMP) to record and send information on the user’s screen to the control panel of the threat actor.
OBS is a popular video recording and live streaming app with millions of users. Apart from using OBS, the attacker also exploited the object storage service (OSS) of Alibaba Cloud for the hosting of the BIOPASS RAT Python scripts. Also, it stores the stolen data from the victims, according to the reports from trend Micro, who linked the malware to the Chinese hacking syndicate known as the Winnti APT group.
Attack linked to the APT41 Threat group
The security team also noted that the binaries of the BIOPASS RAT loader were signed using two valid certificates exfiltrated from Taiwan and South Korean game studios.
The method, according to the researchers, was initially linked to cyber espionage campaigns carried out by the Winnti group.
It will fit into the group’s operational methods since APT41 is known to engage in such operations. Sometimes it engages in financially motivated attacks and sometimes engages in cyber espionage attacks, which is their regular operational method.
BIOPASS RAT is known to have basic features that are seen in other malware, as Trend Micro Researchers noted. It is also configured to compromise the victim’s private information, its instant messaging data client, as well as a web browser.
Apart from its wide range of capabilities, BIOPASS also can set up live streaming to a cloud service, with the attacker controlling the RTMP and communicating with the remote server through the Socket.IO protocol.
However, the malware is still under active development. This means it could be more potent when its full potentials are utilized. Already, it has been discovered stealing private data from instant messaging apps and web browsers mainly in mainland China.
Some of its exploitation mediums include WeChat QQ, 360 Safe Browser, Sogonu Explorer, 2345 Explorer, and QQ Browser.
The same Cobalt Strike has also been linked to a cyberattack on MonOass, a popular certification authority in Mongolia. The attack occurred earlier this year where the threat actors tampered with the installer in a bid to plant the Cobalt Strike beacon payloads in the infiltrated systems.
A sophisticated malware
The BIOPASS RAT has been termed a sophisticated type of malware because it was implemented in Python scripts.
The malware loader, according to the researchers, was planted as an executable file that camouflages as a genuine update installer on an infiltrated website. The security experts have also discovered a server-side modification of the Derusbi malware sample in the attack. According to Trend Micro, the variation is part of Winnti’s arsenal.
Another important feature of the malware is the capability of using scheduled tasks as a means of maintaining persistence in a compromised system.
As a result, the researchers have warned that users should not download apps from unknown sources to avoid becoming victims.