Researchers spotted a new malware, dubbed BIOPASS, that sniffs victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio.
Researchers from Trend Micro spotted a new malware, dubbed BIOPASS, that sniffs the victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio.
Threat actors behind the new malware planted a malicious JavaScript code on support chat pages of Chinese gambling-related sites to redirect visitors to pages offering the malicious installers.
The new piece of malware was employed in watering hole attacks aimed at online gambling companies in China, hackers compromised the sites to serve a malware loader disguised as a legitimate installer for Adobe Flash Player or Microsoft Silverlight.
The analysis of the loader revealed that it loads either a Cobalt Strike shellcode or a new Python backdoor tracked by the experts as BIOPASS RAT.
BIOPASS RAT implements common RAT features, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. The malware is also able to steal private information from web browsers and instant messaging clients installed on the victim’s device.
The malicious code leverages OBS studio’s RTMP (Real-Time Messaging Protocol) streaming capabilities to record the user’s screen and broadcast it to an attacker’s control panel.
“What makes BIOPASS RAT particularly interesting is that it can sniff its victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via Real-Time Messaging Protocol (RTMP). In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud (Aliyun) to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims.” reads the report published by Trend Micro.
According to Trend Micro, the BIOPASS RAT could be linked to the Chinese Winnti APT group (aka APT41).
Experts noticed that multiple BIOPASS RAT loader binaries were signed with two valid certificates likely stolen from game studios from South Korea and Taiwan, a tactic that was previously associated with cyberespionage campaigns conducted by the Winnti Group to sign its malware.
This would fit into the group’s modus operandi since APT41 has been known to engage in cyber-espionage operations during their regular work hours and then carry out financially motivated attacks against online gaming companies across Southeast Asia for personal profits. Experts also spotted a server-side variant of the Derusbi malware sample, which is part of Winnti’s arsenal, that was signed with one of the stolen certificates.
Experts found an interesting Cobalt Strike loader that has a PDB string that connects to the C&C server that has been mentioned in a recent report related to a campaign attributed to the Winnti Group.
“BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts. It possesses many features, such as the ability to use scheduled tasks as a method of maintaining persistence in the infected system. The malware abuses publicly available tools and cloud services for its malicious behavior.” concludes the report published by Trend Micro that includes the Indicators of Compromise (IoCs). “Notably, a large number of features were implemented to target and steal the private data of popular web browsers and instant messengers that are primarily used in Mainland China.”
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, APT41)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Researchers spotted a new malware, dubbed BIOPASS, that sniffs victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio.
Researchers from Trend Micro spotted a new malware, dubbed BIOPASS, that sniffs the victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio.
Threat actors behind the new malware planted a malicious JavaScript code on support chat pages of Chinese gambling-related sites to redirect visitors to pages offering the malicious installers.
The new piece of malware was employed in watering hole attacks aimed at online gambling companies in China, hackers compromised the sites to serve a malware loader disguised as a legitimate installer for Adobe Flash Player or Microsoft Silverlight.
The analysis of the loader revealed that it loads either a Cobalt Strike shellcode or a new Python backdoor tracked by the experts as BIOPASS RAT.
BIOPASS RAT implements common RAT features, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. The malware is also able to steal private information from web browsers and instant messaging clients installed on the victim’s device.
The malicious code leverages OBS studio’s RTMP (Real-Time Messaging Protocol) streaming capabilities to record the user’s screen and broadcast it to an attacker’s control panel.
“What makes BIOPASS RAT particularly interesting is that it can sniff its victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via Real-Time Messaging Protocol (RTMP). In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud (Aliyun) to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims.” reads the report published by Trend Micro.
According to Trend Micro, the BIOPASS RAT could be linked to the Chinese Winnti APT group (aka APT41).
Experts noticed that multiple BIOPASS RAT loader binaries were signed with two valid certificates likely stolen from game studios from South Korea and Taiwan, a tactic that was previously associated with cyberespionage campaigns conducted by the Winnti Group to sign its malware.
This would fit into the group’s modus operandi since APT41 has been known to engage in cyber-espionage operations during their regular work hours and then carry out financially motivated attacks against online gaming companies across Southeast Asia for personal profits. Experts also spotted a server-side variant of the Derusbi malware sample, which is part of Winnti’s arsenal, that was signed with one of the stolen certificates.
Experts found an interesting Cobalt Strike loader that has a PDB string that connects to the C&C server that has been mentioned in a recent report related to a campaign attributed to the Winnti Group.
“BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts. It possesses many features, such as the ability to use scheduled tasks as a method of maintaining persistence in the infected system. The malware abuses publicly available tools and cloud services for its malicious behavior.” concludes the report published by Trend Micro that includes the Indicators of Compromise (IoCs). “Notably, a large number of features were implemented to target and steal the private data of popular web browsers and instant messengers that are primarily used in Mainland China.”
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, APT41)