13 July 21, 13:01
Quote:Online gambling companies in China are being targeted by a new remote access trojan (RAT) which, in addition to its predictable features — like file assessment and exfiltration — takes the novel approach of using live streaming to spy on the screens of its victims.
The malware was identified by a team of threat researchers at Trend Micro, and named BIOPASS RAT.
“What makes BIOPASS RAT particularly interesting is that it can sniff its victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via real-time messaging protocol (RTMP),” the Trend Micro team reported. “In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud (Aliyun) to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims.”
Researchers said the watering-hole attack typically pops us and looks like a benign support chat window. Once installation begins, the malware checks to see whether the victim is already infected with BIOPASS RAT, the report explained. If so, it stops. If not, the researchers observed, the script will start displaying the fraudulent content on the victim’s screen, which tells the user they need to install either Flash of Silverlight, the Trend Micro team added, directing them to a malicious loader.
Once a new login is created, the malware creates and runs various scheduled tasks which can load Cobalt Strike or a BPS backdoor, the report explained. The task labeled “big.txt” delivers the main BIOPASS RAT functionality, which the Trend Micro team added is compiled with Nuitka, PyArmor and PyInstaller.
Read more: BIOPASS RAT Uses Live Streaming Steal Victims' Data | Threatpost