September 16, 2021 By David Bisson 2 min read

Researchers discovered a new attack campaign targeting online gambling companies in China with one of two malware payloads. In one scenario detected by Trend Micro, the campaign dropped a previously undocumented backdoor written in Python. The security firm dubbed this threat ‘BIOPASS RAT’ (for remote access Trojan). In addition, they discovered it was spread in conjunction with the Cobalt Strike malware. Read on to learn about a unique attempt that BIOPASS uses to sniff a victim’s screen.

The Novel Features of BIOPASS

The campaign begins with a watering hole attack, where attackers compromise a website by placing an injection script into a target’s online chat support page. From there, they could load either the BIOPASS RAT or Cobalt Strike.

First, the injection script scans for signs of existing infection. Next, it replaces the real page’s content with a page that displays an error message. This message instructs them to download an updated version of either Adobe Flash Player or Microsoft Silverlight. Both programs are already deprecated.

Each installer downloads the real application. However, it also creates scheduled tasks for the purpose of infecting the machine with BIOPASS RAT malware.

Trend Micro found that the threat arrived with file exfiltration, remote desktop access and other functions common among malware strains.

The threat also deployed with a few unique traits. BIOPASS can misuse Open Broadcaster Software (OBS) Studio, a live streaming and video recording app, to establish a live streaming session to a cloud service. This technique enabled the attackers to sniff the screens of their victims. (A sniffing attack steals or intercepts data by accessing network traffic using a packet sniffer.)

This threat also used the object storage service of the Alibaba Cloud to host Python scripts and store the stolen data.

The Campaign’s Other (Common) Malware Payload

Whenever the campaign didn’t load BIOPASS RAT, it called forth a shellcode for the Cobalt Strike malware.

Cobalt Strike attack software might sound familiar. Back in December 2020, for instance, a new malware threat used Word macros to download a PowerShell script from GitHub. That script then downloaded a legitimate image file from Imgur as a means of decoding a Cobalt Strike script on Windows systems.

In April 2021, various Hancitor malware campaigns used Cobalt Strike, along with a network ping tool, to enumerate the network of the infected host. Other attackers targeted users with Cobalt Strike using a fake software update this year.

How to Defend Against BIOPASS and Cobalt Strike

The campaign involving BIOPASS and Cobalt Strike began with a social engineering tactic that attempted to trick website visitors into installing a loader for deprecated software. This technique highlights the need for organizations to heighten their users’ awareness of similar attacks. They can do that by using threat intelligence to keep their security awareness programs up to date. They can also individualize their training modules to take the security requirements facing different employees and departments into account.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today