Researchers uncovered a new malware named BIOPASS RAT that targets the gambling companies in china using water hole attacks to exfiltrate the data and gain remote access to the system by executing the shell commands.
A watering hole attack is a type of cyberattack that targets groups of users by infecting websites that they commonly visit also redirecting the victims via phishing emails and spam email campaigns.
Attack tricks users to download the initial stage of malware loader through a legitimate installer that posed as a well-known app such as Adobe Flash Player or Microsoft Silverlight.
BIOPASS RAT loads 2 different modules, either Cobalt Strike shellcode or a previously undocumented backdoor, and the ability to steal the web-browser data or IM client data.
Interesting functionality of the malware is that having the ability to sniff its victim’s screen by abusing the framework of Open Broadcaster Software (OBS) which is a popular live stream and video recorded app.
Researchers from Trend Micro suspect that the BIOPASS RAT malware might be connected with the Winnti Group (also known as APT41) and the attacker misuses the object storage service (OSS) of Alibaba Cloud to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims..
BIOPASS RAT Infection Process
Since the attackers use a Water Hole Attack model, BIOPASS RAT initially compromised the gambling websites and infects their system using malicious scrip to deliver the malware info to the victim’s machine.
Once the malicious script has been successfully executed, the script will establish the HTTP request to find the infected hosts and ensure that the hosts are already infected.
If the malware found the visitors are not infected, they will replace the attacker’s content that shows as an error message and trick users to download either a Flash installer or a Silverlight installer with the instruction.
Malicious files are hosted on Alibaba Cloud OSS that is controlled by the attackers, also the malware implements the multiple commands that are used for the entire infection operations to process the attack step by step of the following:-
- Decompress_File – Extracts files from a specified ZIP archive
- Download_File- Downloads a URL and saves the file to a specified location
- Upload_File – Uploads the victim’s files to cloud storage
- uUninstall- Kills the BIOPASS RAT process and deletes installed files.
- KillProcess – Kills the process specified by PID with the TASKKILL command
- ScreenShot – Takes a screenshot and uploads it to cloud storage
- PackingTelegram – Compresses and uploads Telegram’s “tdata” directory to cloud storage
- GetBrowsersHistories – Uploads the history file of the browser to cloud storage+
Attackers also targeting several browsers including Google Chrome, Microsoft Edge Beta, 360 Chrome, QQ Browser, 2345 Explorer, Sogou Explorer, and 360 Safe Browser.
“The malware loader was delivered as an executable disguised as a legitimate update installer on a compromised website, we advise users to be careful with regard to the applications that they download. As much as possible, it is recommended to download apps only from trusted sources and official websites to avoid being compromised”.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
%20(1).webp "OpenStack Nova Vulnerability Allows Hackers Gain Unauthorized Access to Cloud Servers"){kind=small}
