Cyber security researchers warn of new malware hitting online gaming companies in China via a waterhole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT which takes advantage of Open Broadcaster Software (OBS) Studio’s live streaming application to capture the screen of its victims to attackers.
The attack consists of deceiving the visitors of the gaming website into downloading a malware loader disguised as a legitimate installer for popular but outdated applications like Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a channel to retrieve the payloads for the next step.
“BIOPASS RAT has basic functionality found in other malware, such as file system evaluation, remote desktop access, file exfiltration, and execution of shell commands,” noted Trend Micro researchers in an analysis released Friday. “It also has the ability to compromise the private information of its victims by stealing data from the web browser and instant messaging client.”
OBS Studio is open source video recording and live streaming software, allowing users to stream to Twitch, YouTube, and other platforms.
In addition to offering an array of features that perform the typical range of spyware, BIOPASS is equipped to establish a live broadcast to a cloud service under the control of the attacker via the Real Time Messaging Protocol (RTMP), in no longer communicate with the command-and-control (C2) server using the Socket.IO protocol.
The malware, which is said to be in development, also stands out for its goal of stealing private data from web browsers and instant messaging applications primarily popular in mainland China, including QQ Browser, 2345 Explorer, Sogou Explorer, and 360. Safe Browser. WeChat, QQ and Aliwangwang.
It’s unclear exactly who is behind this strain of malware, but Trend Micro researchers said they found overlaps between BIOPASS and that of TTPs often associated with the Winnti Group (aka APT41), a sophisticated Chinese hacking group specializing in cyber espionage attacks. , based on the use of stolen certificates and a Cobalt Strike binary previously assigned to the perpetrator.
Additionally, the same Cobalt Strike binary was also connected to a cyberattack targeting MonPass, a major certificate authority (CA) in Mongolia, earlier this year in which its installer software was tampered with to install payloads of Cobalt Strike beacon on infected systems.
“BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts,” the researchers said. “Since the malware loader was delivered as an executable disguised as a legitimate update installer on a compromised website, […] It is recommended that you download apps only from trusted sources and official websites to avoid being compromised. “