BIOPASS RAT targets online gambling firms in China
Suspected Chinese hackers are targeting online gambling companies in China with a new remote access trojan (RAT) that abuses Open Broadcaster Software (OBS) Studio live streaming software to record victims’ screens.
Dubbed ‘BIOPASS RAT’ by researchers at Trend Micro who discovered this new threat, the malware spreads via a watering hole attack, in which unsuspecting visitors to a compromised gaming website are served with a malware downloader masqueraded as a legitimate installer for well-known apps such as Adobe Flash Player or Microsoft Silverlight. Specifically, the websites’ online support chat pages contain malicious JavaScript code, which is used to deliver the malware to the victims.
The loader downloads either a Cobalt Strike shellcode or BIOPASS RAT. The latter contains basic functionality often found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. It also has the ability to compromise the private information of its victims by stealing data from web browsers and instant messaging apps popular in Mainland China, including QQ Browser, 2345 Explorer, Sogou Explorer, and 360 Safe Browser, WeChat, QQ, and Aliwangwang.
The malware uses the OBS video recording app to establish live streaming to a cloud service via Real-Time Messaging Protocol (RTMP). In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud (Aliyun) to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims.
BIOPASS appears to be under active development based on some indications, such as markers referring to different versions of RAT code (“V2” or “BPSV3”). The researchers said that many of the downloaders they observed were used to load Cobalt Strike shellcode by default instead of the BIOPASS RAT malware.
While Trend Micro researchers did not attribute these attacks to any particular hacker group, they said they found some clues indicating that the Winnti Group (also known as APT41) may be behind the malware.
“Given that the malware loader was delivered as an executable disguised as a legitimate update installer on a compromised website, we advise users to be careful with regard to the applications that they download. As much as possible, it is recommended to download apps only from trusted sources and official websites to avoid being compromised by attacks such as the one discussed here,” the researchers warned.