Researchers discovered a new attack campaign targeting online gambling companies in China with one of two malware payloads. In one scenario detected by Trend Micro, the campaign dropped a previously undocumented backdoor written in Python. The security firm dubbed this threat ‘BIOPASS RAT’ (for remote access Trojan). In addition, they discovered it was spread in conjunction with the Cobalt Strike malware. Read on to learn about a unique attempt that BIOPASS uses to sniff a victim’s screen.

The Novel Features of BIOPASS

The campaign begins with a watering hole attack, where attackers compromise a website by placing an injection script into a target’s online chat support page. From there, they could load either the BIOPASS RAT or Cobalt Strike.

First, the injection script scans for signs of existing infection. Next, it replaces the real page’s content with a page that displays an error message. This message instructs them to download an updated version of either Adobe Flash Player or Microsoft Silverlight. Both programs are already deprecated.

Each installer downloads the real application. However, it also creates scheduled tasks for the purpose of infecting the machine with BIOPASS RAT malware.

Trend Micro found that the threat arrived with file exfiltration, remote desktop access and other functions common among malware strains.

The threat also deployed with a few unique traits. BIOPASS can misuse Open Broadcaster Software (OBS) Studio, a live streaming and video recording app, to establish a live streaming session to a cloud service. This technique enabled the attackers to sniff the screens of their victims. (A sniffing attack steals or intercepts data by accessing network traffic using a packet sniffer.)

This threat also used the object storage service of the Alibaba Cloud to host Python scripts and store the stolen data.

The Campaign’s Other (Common) Malware Payload

Whenever the campaign didn’t load BIOPASS RAT, it called forth a shellcode for the Cobalt Strike malware.

Cobalt Strike attack software might sound familiar. Back in December 2020, for instance, a new malware threat used Word macros to download a PowerShell script from GitHub. That script then downloaded a legitimate image file from Imgur as a means of decoding a Cobalt Strike script on Windows systems.

In April 2021, various Hancitor malware campaigns used Cobalt Strike, along with a network ping tool, to enumerate the network of the infected host. Other attackers targeted users with Cobalt Strike using a fake software update this year.

How to Defend Against BIOPASS and Cobalt Strike

The campaign involving BIOPASS and Cobalt Strike began with a social engineering tactic that attempted to trick website visitors into installing a loader for deprecated software. This technique highlights the need for organizations to heighten their users’ awareness of similar attacks. They can do that by using threat intelligence to keep their security awareness programs up to date. They can also individualize their training modules to take the security requirements facing different employees and departments into account.

More from News

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…

Good Guys Decrypt Ransomware Targeting Charitable Groups

Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom. But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.” Sound too good to be true?…

Threat Groups Offer $240k Salary to Tech Jobseekers

Dark web forums are home to various individuals interested in conducting illicit or questionable activities. These forums offer opportunities such as the transaction of stolen data, Malware-as-a-Service, hacking services and invitations to collaborate in hacktivism. Cyber crime team members are recruited directly from the source: the dark web. What does this activity look like? Kaspersky recently conducted an analysis of 155 dark web forums from January 2020 to June 2022. They examined job postings and resumes that contained information about…