Researchers from Trend Micro has identified a new malware dubbed “BIOPASS” targeting china’s gambling site via Watering hole attack to sniff on victims screen by abusing Open Broadcaster Software(OBS) live streaming app.
The Threat actors behind this campaign seems to have planted the malicious JS file on the support chat box of gambling sites which redirects the users to download the malicious payload disguised as a Adobe Flash Player/ Microsoft SilverLight.
” Closer examination of the loader shows that it loads either a Cobalt Strike shellcode or a previously undocumented backdoor written in Python, a new type of malware that we found to be named BIOPASS RAT (remote access trojan).”
“BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data.” reads the blog post by Trend Micro.
The experts also noticed that BIOPASS malware loader binaries were signed with two valid certificates which might have been stolen from South Korea and Taiwan, experts believe that this malware behavior links to the APT41(Chinese Winnti APT).
|Certificate Thumbprint||Valid From||Valid To|
|EFB70718BC00393A01694F255A28E30E9D2142A4||12:00 a.m., Jan. 2, 2019||11:59 p.m., Mar. 2, 2021|
|8CE020AA874902C532B9911A4DCA8EFFA627DC80||12:00 a.m., Sept. 6, 2018||11:59 p.m., Oct. 5, 2021|
“Given that the malware loader was delivered as an executable disguised as a legitimate update installer on a compromised website, we advise users to be careful with regard to the applications that they download. As much as possible, it is recommended to download apps only from trusted sources and official websites to avoid being compromised by attacks such as the one discussed here.” Concludes the report.
Cyberworkx readers can incorporate the IOC’s from this link.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1