September 16, 2021 By David Bisson 2 min read

Researchers discovered a new attack campaign targeting online gambling companies in China with one of two malware payloads. In one scenario detected by Trend Micro, the campaign dropped a previously undocumented backdoor written in Python. The security firm dubbed this threat ‘BIOPASS RAT’ (for remote access Trojan). In addition, they discovered it was spread in conjunction with the Cobalt Strike malware. Read on to learn about a unique attempt that BIOPASS uses to sniff a victim’s screen.

The Novel Features of BIOPASS

The campaign begins with a watering hole attack, where attackers compromise a website by placing an injection script into a target’s online chat support page. From there, they could load either the BIOPASS RAT or Cobalt Strike.

First, the injection script scans for signs of existing infection. Next, it replaces the real page’s content with a page that displays an error message. This message instructs them to download an updated version of either Adobe Flash Player or Microsoft Silverlight. Both programs are already deprecated.

Each installer downloads the real application. However, it also creates scheduled tasks for the purpose of infecting the machine with BIOPASS RAT malware.

Trend Micro found that the threat arrived with file exfiltration, remote desktop access and other functions common among malware strains.

The threat also deployed with a few unique traits. BIOPASS can misuse Open Broadcaster Software (OBS) Studio, a live streaming and video recording app, to establish a live streaming session to a cloud service. This technique enabled the attackers to sniff the screens of their victims. (A sniffing attack steals or intercepts data by accessing network traffic using a packet sniffer.)

This threat also used the object storage service of the Alibaba Cloud to host Python scripts and store the stolen data.

The Campaign’s Other (Common) Malware Payload

Whenever the campaign didn’t load BIOPASS RAT, it called forth a shellcode for the Cobalt Strike malware.

Cobalt Strike attack software might sound familiar. Back in December 2020, for instance, a new malware threat used Word macros to download a PowerShell script from GitHub. That script then downloaded a legitimate image file from Imgur as a means of decoding a Cobalt Strike script on Windows systems.

In April 2021, various Hancitor malware campaigns used Cobalt Strike, along with a network ping tool, to enumerate the network of the infected host. Other attackers targeted users with Cobalt Strike using a fake software update this year.

How to Defend Against BIOPASS and Cobalt Strike

The campaign involving BIOPASS and Cobalt Strike began with a social engineering tactic that attempted to trick website visitors into installing a loader for deprecated software. This technique highlights the need for organizations to heighten their users’ awareness of similar attacks. They can do that by using threat intelligence to keep their security awareness programs up to date. They can also individualize their training modules to take the security requirements facing different employees and departments into account.

More from News

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government. The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of…

Recent developments and updates in Biden cyber policy

3 min read - The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…

Change Healthcare cyberattack causes dire billing crisis

3 min read - Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications. Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today