A new strain of malware has been uncovered by security researchers, that uses the popular streaming software Open Broadcaster Software (OBS) Studio to record victims’ screens. Researchers at the cybersecurity firm Trend Micro discovered this new strain, identifying it as a Remote Access Trojan (RAT). This RAT was spotted by the researchers in recent attacks targeting online gambling companies in China.
This RAT, named Biopass, is coded using the Python programming language and has been entering systems while being disguised in legitimate software installers for Adobe Flash Player and Microsoft Silverlight. Even though both Flash Player and Silverlight have reached their end-of-life (EOD), these technologies are still actively being used in China.
Image source: Trend Micro
How Biopass Malware works
Trend Micro published a report on Biopass which goes into great, technical detail about how Biopass works. The primary function of the malware is to record and broadcast the screen of the victims to their attackers using the live streaming services of OBS studio. According to the report, the attackers planted malicious JavaScript code on the chat/tech support pages of the Chinese gambling websites. This redirected users to various pages offering tainted installers claiming to fix whatever problem was listed, which was then downloaded by these to-be victims of Biopass.
As mentioned before, the tainted installers were mainly for software such as Adobe Flash Player and Microsoft Silverlight. These installers did install a legitimate version of either software but also installed the Biopass RAT. This granted attackers full and free access to the entire system.
The researchers say that the Biopass RAT does possess a lot of the basic features that are found in other malware, like the file system assessment, remote desktop access, file exfiltration, and shell command execution. It also has the capability to steal users’ private data from instant messaging clients and web browsers. The thing that sets Biopass apart from other malware is that it can “sniff” its victims’ screens by abusing the framework of OBS Studio to establish live streaming to a cloud service routed to the attackers.
“We consider BIOPASS RAT as still being actively developed. For example, some markers that we discovered during our analysis refer to different versions of RAT code, such as ‘V2’ or ‘BPSV3’. “
via the Trend Micro report written by Joseph C Chen, Kenney Lu, Jaromir Horejsi, and Gloria Chen
What we know so far about Biopass RAT
As of now, it is uncertain as to who exactly is responsible for these attacks, as well as the creation of this malware. As per the Trend Micro report, it is suggested that a lot of clues point towards Biopass being the work of an infamous group of Chinese state-sponsored hackers called Winnti (also known as APT41).
The report claims that the main suspect is Winnti since the modus operandi of the group fits the working of Biopass perfectly. Winnti is a Chinese cyber-espionage group that normally likes to engage in its operations during regular work hours, which then leads to financially motivated attacks on Southeast Asian online gaming companies.
“Experts noticed that multiple BIOPASS RAT loader binaries were signed with two valid certificates likely stolen from game studios from South Korea and Taiwan, a tactic that was previously associated with cyber-espionage campaigns conducted by the Winnti Group to sign its malware.”
via an article from Security Affairs written by Pierluigi Paganini
However, there have been no formal links made by Trend Micro between Biopass and Winnti just yet. It is important to also note that the attacks carried out using Biopass have been targeted towards the data of people residing in Mainland China. Hypothetically speaking, It would seem a bit odd for a state-sponsored threat actor such as Winnti to target local Chinese entities in these alleged attacks.
Add Comment