Malware Exploits Livestream App'BioPass' Targets Chinese Gambling Companies' Clients
Newly uncovered malware dubbed "BioPass" is targeting Chinese online gambling companies to capture private data from their clients, Trend Micro says. The malware exploits popular livestreaming and video recording app Open Broadcaster Software Studio to steal victims' web browser and instant messaging data, which can potentially be used for further exploitation.
The attacks begin by using watering-hole techniques, in which victims are tricked into downloading a malware loader disguised as a legitimate installer for Adobe Flash Player or Microsoft Silverlight, Trend Micro says.
The downloaded file is actually either a Cobalt Strike shellcode or BioPass remote access Trojan compiled in Python programming language. "BioPass RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration and shell command execution," the report notes. "It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data."
Trend Micro researchers discovered two variants of BioPass, indicating the malware is likely at its development stage. Although the malware still appears to be in the early stages of development, the report notes that BioPass is highly sophisticated in terms of its capabilities.
If the scanning finds that a device already has been infected by BioPass, the malware will then replace the content of the original page with that of the attacker's, which will then show the victims an error messaging asking them to download a not-in-use versions of Flash installer or a Silverlight installer, both of which are malicious loaders, the Trend Micro report notes.
The loaders then download malicious versions of the legitimate applications that are hosted on Alibaba Cloud OSS on an attacker-controlled account, according to the report.
When executed, BioPass performs certain scheduled tasks, such as replacing the content, spying on predefined ports and marking the infected machine to avoid targeting again.
The malware then collects information about the victim's system, access keys, endpoint address and the bucket name for Alibaba Cloud OSS and monitors the victim’s desktop via RTMP livestreaming to the cloud, Trend Micro notes.
In the final stage of the attack, the malware communicates with its command-and-control server.
Connection to Winnti
BioPass appears to be linked to the Chinese advanced persistent threat group Winnti - which is also known as APT41, Wicked Spider, Winnti Umbrella and Barium - based on the similarities between their infrastructures, Trend Micro says. These includes similarities in certificates used for signing the loader. "These certificates are likely stolen from game studios in South Korea and Taiwan. It is well known that the Winnti Group has previously used stolen certificates from game studios to sign its malware," the report notes.
Further analysis of the certificates revealed they were being used by malware called Derusbi that has previously been linked to the Winnti Group. In addition, Cobalt Strike loader used by the malware has also been attributed to Winnti.
A recent report by security firm Group-IB found Winnti was behind the breach of SITA, an international provider of IT services for the air transport industry worldwide, which led to customer data at Air India and other airlines being compromised (see: Report: China-Connected APT41 Likely Behind Attacks on Airlines ).
In January, researchers at Positive Technologies uncovered a Winnti cyberespionage campaign that targeted victims in Hong Kong and Russia (see: Chinese Hacking Group Deploys Backdoor).