Trend Micro is warning about a new type of malware is hitting China’s online gambling industry. Attackers can perform a water hole attack by deploying either Cobalt Strike beacons or a Python backdoor called BIOPASS RAT, cybersecurity researchers said in an analysis published Friday.
The RAT takes advantage of the Open Broadcaster Software’s live-streaming app to record the screen and send this data to attackers.
The attack works by tricking gamers into downloading a loader software package that looks like an installer for popular but already phased out apps, such as Adobe Flash Player or Microsoft Silverlight.
The RAT can perform typical spyware operations and also steal various data, for example, the victim’s chat messages:
“BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution,” Trend Micro researchers noted in an analysis published Friday. “It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data.”
Attackers abuse OBS Studio, which is an open-source video recording and live-streaming software. It enables users to stream to various platforms such as Twitch and YouTube.
BIOPASS is a highly-capable spyware package that can execute various types of remote code execution tasks. Aside from being able to execute arbitrary code, it can also execute live-streaming to the attackers’ cloud service via Real-Time Messaging Protocol (RTMP).
The malware is believed to be targeting individuals and organizations in China. It focuses on stealing sensitive information from web browsers and chat apps, such as QQ Browser, 2345 Explorer, Sogou Explorer, and 360 Safe Browser, WeChat, QQ, and Aliwangwang.
It’s not clear who’s behind this malware, but security researchers at Trend Micro detected overlaps between the BIOPASS and the TTPs associated with the Winnti Group (aka APT41), a sophisticated Chinese hacking group specialized in cyber espionage attacks.
Researchers also noted that the same Cobalt Strike binary was also used in a cyberattack on MonPass, a certification authority in Mongolia, earlier this year.
Trend Micro researchers concluded their report with advice:
“BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts. Given that the malware loader was delivered as an executable disguised as a legitimate update installer on a compromised website, […] it is recommended to download apps only from trusted sources and official websites to avoid being compromised.”