Researchers discovered a new attack campaign targeting online gambling companies in China with one of two malware payloads. In one scenario detected by Trend Micro, the campaign dropped a previously undocumented backdoor written in Python. The security firm dubbed this threat ‘BIOPASS RAT’ (for remote access Trojan). In addition, they discovered it was spread in conjunction with the Cobalt Strike malware. Read on to learn about a unique attempt that BIOPASS uses to sniff a victim’s screen.

The Novel Features of BIOPASS

The campaign begins with a watering hole attack, where attackers compromise a website by placing an injection script into a target’s online chat support page. From there, they could load either the BIOPASS RAT or Cobalt Strike.

First, the injection script scans for signs of existing infection. Next, it replaces the real page’s content with a page that displays an error message. This message instructs them to download an updated version of either Adobe Flash Player or Microsoft Silverlight. Both programs are already deprecated.

Each installer downloads the real application. However, it also creates scheduled tasks for the purpose of infecting the machine with BIOPASS RAT malware.

Trend Micro found that the threat arrived with file exfiltration, remote desktop access and other functions common among malware strains.

The threat also deployed with a few unique traits. BIOPASS can misuse Open Broadcaster Software (OBS) Studio, a live streaming and video recording app, to establish a live streaming session to a cloud service. This technique enabled the attackers to sniff the screens of their victims. (A sniffing attack steals or intercepts data by accessing network traffic using a packet sniffer.)

This threat also used the object storage service of the Alibaba Cloud to host Python scripts and store the stolen data.

The Campaign’s Other (Common) Malware Payload

Whenever the campaign didn’t load BIOPASS RAT, it called forth a shellcode for the Cobalt Strike malware.

Cobalt Strike attack software might sound familiar. Back in December 2020, for instance, a new malware threat used Word macros to download a PowerShell script from GitHub. That script then downloaded a legitimate image file from Imgur as a means of decoding a Cobalt Strike script on Windows systems.

In April 2021, various Hancitor malware campaigns used Cobalt Strike, along with a network ping tool, to enumerate the network of the infected host. Other attackers targeted users with Cobalt Strike using a fake software update this year.

How to Defend Against BIOPASS and Cobalt Strike

The campaign involving BIOPASS and Cobalt Strike began with a social engineering tactic that attempted to trick website visitors into installing a loader for deprecated software. This technique highlights the need for organizations to heighten their users’ awareness of similar attacks. They can do that by using threat intelligence to keep their security awareness programs up to date. They can also individualize their training modules to take the security requirements facing different employees and departments into account.