Application Security , Cybercrime , Fraud Management & Cybercrime

Malware Exploits Livestream App

'BioPass' Targets Chinese Gambling Companies' Clients
Malware Exploits Livestream App
An image from Open Broadcaster Software Studio, which attackers are exploiting (Source: YouTube)

Newly uncovered malware dubbed "BioPass" is targeting Chinese online gambling companies to capture private data from their clients, Trend Micro says. The malware exploits popular livestreaming and video recording app Open Broadcaster Software Studio to steal victims' web browser and instant messaging data, which can potentially be used for further exploitation.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

The attacks begin by using watering-hole techniques, in which victims are tricked into downloading a malware loader disguised as a legitimate installer for Adobe Flash Player or Microsoft Silverlight, Trend Micro says.

The downloaded file is actually either a Cobalt Strike shellcode or BioPass remote access Trojan compiled in Python programming language. "BioPass RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration and shell command execution," the report notes. "It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data."

Trend Micro researchers discovered two variants of BioPass, indicating the malware is likely at its development stage. Although the malware still appears to be in the early stages of development, the report notes that BioPass is highly sophisticated in terms of its capabilities.

Infection Tactics

Hackers first perform malicious JavaScript injection to a victim's online support chat page, the researchers say. The injected script then scans the host system by sending HTTP requests to a list of ports. "If it receives any response with an expected string from these ports, the script will stop. This step is likely designed to avoid attacking an already infected victim," Trend Micro notes. "We found that the BioPass RAT has the ability to open an HTTP service running on localhost on a port chosen from a hard-coded list. This functionality allows the script to identify whether the victim has already been infected by their malware."

If the scanning finds that a device already has been infected by BioPass, the malware will then replace the content of the original page with that of the attacker's, which will then show the victims an error messaging asking them to download a not-in-use versions of Flash installer or a Silverlight installer, both of which are malicious loaders, the Trend Micro report notes.

The loaders then download malicious versions of the legitimate applications that are hosted on Alibaba Cloud OSS on an attacker-controlled account, according to the report.

When executed, BioPass performs certain scheduled tasks, such as replacing the content, spying on predefined ports and marking the infected machine to avoid targeting again.

The malware then collects information about the victim's system, access keys, endpoint address and the bucket name for Alibaba Cloud OSS and monitors the victim’s desktop via RTMP livestreaming to the cloud, Trend Micro notes.

In the final stage of the attack, the malware communicates with its command-and-control server.

Connection to Winnti

BioPass appears to be linked to the Chinese advanced persistent threat group Winnti - which is also known as APT41, Wicked Spider, Winnti Umbrella and Barium - based on the similarities between their infrastructures, Trend Micro says. These includes similarities in certificates used for signing the loader. "These certificates are likely stolen from game studios in South Korea and Taiwan. It is well known that the Winnti Group has previously used stolen certificates from game studios to sign its malware," the report notes.

Further analysis of the certificates revealed they were being used by malware called Derusbi that has previously been linked to the Winnti Group. In addition, Cobalt Strike loader used by the malware has also been attributed to Winnti.

A recent report by security firm Group-IB found Winnti was behind the breach of SITA, an international provider of IT services for the air transport industry worldwide, which led to customer data at Air India and other airlines being compromised (see: Report: China-Connected APT41 Likely Behind Attacks on Airlines ).

In January, researchers at Positive Technologies uncovered a Winnti cyberespionage campaign that targeted victims in Hong Kong and Russia (see: Chinese Hacking Group Deploys Backdoor).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.