A previously unknown Remote Access Trojan (RAT) threat has been discovered as part of a harmful operation targeting Chinese online gambling companies in a watering hole attack. Researchers named the malware BIOPASS RAT and released a report detailing its capabilities. The threat was delivered to visitors of the compromised sites via a malware loader that poses as legitimate and well-known but by now deprecated software products. The loader has been observed to pass itself as an installer for Adobe Flash Player or Microsoft Silverlight. The threat actor usually placed the infection script on the compromised site's online support page. When the loader is executed on the victim's machine, it drops either a Cobalt beacon or a BIOPASS RAT payload.

BIOPASS RAT's can Stream the Victim's Screen

Written using the Python programming language, BIOPASS RAT is a fully-fledged remote access threat with a couple of twists. It can manipulate the file system - delete or create directories, delete, download or upload files, as well as kill chosen processes and execute arbitrary commands. However, the BIOPASS RAT downloads several tools that aid it in its evil-minded goals, such as capturing screenshots of the system. The threat goes even beyond, though. By dropping and exploiting the framework of the popular streaming and video recording product OBS (Open Broadcaster Software) Studio, BIOPASS is capable of live streaming the screen of the breached device to a cloud service via the RTMP (Real-Time Messaging Protocol).

In addition, BIOPASS can be commanded to access a large set of sensitive private data from several Web browsers and instant messaging applications popular in China. Among the targeted applications are QQ Browser, Sogou Explorer, 2345 Explorer, WeChat, 360 Safe Browser, QQ, and Aliwangwang. All exfiltrated user data, alongside the BIOPASS RAT Python scripts, is stored on Alibaba Cloud (Aliyun) by exploiting its object storage service (OSS).

The Threat's Attribution

While not conclusive, some links between BIOPASS RAT and the Winnti Group (APT41), a sophisticated Chinese-related threat actor that specializes in cyberespionage attacks, have been discovered. One connection between the two can be established via the certificates used to sign the BIOPASS RAT loader binaries. Many of them were most likely misappropriated from South Korean or Taiwanese game studios. This is an established characteristic of the Winnti hackers who have incorporated misappropriated certificates belonging to game studious in their past malicious operations.

One of the BIOPASS RAT loader certificates was also used to sign a server-side variant of the Derusbi malware. This particular threat has been part of the threatening toolkits of several APT (Advanced Persistent Threat) groups. However, the server-side variant has been observed as a loader in attacks by the Winnti Group. The Trend Micro researchers also uncovered a Cobalt Strike loader with a PBD string and C&C domains that have already been attributed to the hackers from Winnti.

The BIOPASS RAT is considered to still be under active development so the danger it poses could become even greater in the future with the release of even more sophisticated versions of the threat.


Most Viewed