Researchers from Trend Micro has identified a new malware dubbed “BIOPASS” targeting china’s gambling site via Watering hole attack to sniff on victims screen by abusing Open Broadcaster Software(OBS) live streaming app.

The Threat actors behind this campaign seems to have planted the malicious JS file on the support chat box of gambling sites which redirects the users to download the malicious payload disguised as a Adobe Flash Player/ Microsoft SilverLight.

” Closer examination of the loader shows that it loads either a Cobalt Strike shellcode or a previously undocumented backdoor written in Python, a new type of malware that we found to be named BIOPASS RAT (remote access trojan).”

Source: Trend Micro

“BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data.” reads the blog post by Trend Micro.

The experts also noticed that BIOPASS malware loader binaries were signed with two valid certificates which might have been stolen from South Korea and Taiwan, experts believe that this malware behavior links to the APT41(Chinese Winnti APT).

Certificate ThumbprintValid FromValid To
EFB70718BC00393A01694F255A28E30E9D2142A412:00 a.m.,  Jan. 2, 201911:59 p.m., Mar. 2, 2021
8CE020AA874902C532B9911A4DCA8EFFA627DC8012:00 a.m., Sept. 6, 201811:59 p.m., Oct. 5, 2021
Source: Trend micro

Given that the malware loader was delivered as an executable disguised as a legitimate update installer on a compromised website, we advise users to be careful  with regard to the applications that they download. As much as possible, it is recommended to download apps only from trusted sources and official websites to avoid being compromised by attacks such as the one discussed here.” Concludes the report.

Cyberworkx readers can incorporate the IOC’s from this link.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s