September 16, 2021 By David Bisson 2 min read

Researchers discovered a new attack campaign targeting online gambling companies in China with one of two malware payloads. In one scenario detected by Trend Micro, the campaign dropped a previously undocumented backdoor written in Python. The security firm dubbed this threat ‘BIOPASS RAT’ (for remote access Trojan). In addition, they discovered it was spread in conjunction with the Cobalt Strike malware. Read on to learn about a unique attempt that BIOPASS uses to sniff a victim’s screen.

The Novel Features of BIOPASS

The campaign begins with a watering hole attack, where attackers compromise a website by placing an injection script into a target’s online chat support page. From there, they could load either the BIOPASS RAT or Cobalt Strike.

First, the injection script scans for signs of existing infection. Next, it replaces the real page’s content with a page that displays an error message. This message instructs them to download an updated version of either Adobe Flash Player or Microsoft Silverlight. Both programs are already deprecated.

Each installer downloads the real application. However, it also creates scheduled tasks for the purpose of infecting the machine with BIOPASS RAT malware.

Trend Micro found that the threat arrived with file exfiltration, remote desktop access and other functions common among malware strains.

The threat also deployed with a few unique traits. BIOPASS can misuse Open Broadcaster Software (OBS) Studio, a live streaming and video recording app, to establish a live streaming session to a cloud service. This technique enabled the attackers to sniff the screens of their victims. (A sniffing attack steals or intercepts data by accessing network traffic using a packet sniffer.)

This threat also used the object storage service of the Alibaba Cloud to host Python scripts and store the stolen data.

The Campaign’s Other (Common) Malware Payload

Whenever the campaign didn’t load BIOPASS RAT, it called forth a shellcode for the Cobalt Strike malware.

Cobalt Strike attack software might sound familiar. Back in December 2020, for instance, a new malware threat used Word macros to download a PowerShell script from GitHub. That script then downloaded a legitimate image file from Imgur as a means of decoding a Cobalt Strike script on Windows systems.

In April 2021, various Hancitor malware campaigns used Cobalt Strike, along with a network ping tool, to enumerate the network of the infected host. Other attackers targeted users with Cobalt Strike using a fake software update this year.

How to Defend Against BIOPASS and Cobalt Strike

The campaign involving BIOPASS and Cobalt Strike began with a social engineering tactic that attempted to trick website visitors into installing a loader for deprecated software. This technique highlights the need for organizations to heighten their users’ awareness of similar attacks. They can do that by using threat intelligence to keep their security awareness programs up to date. They can also individualize their training modules to take the security requirements facing different employees and departments into account.

More from News

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today