BIOPASS malware abuses OBS Studio to spy on victims

Researchers spotted a new malware, dubbed BIOPASS, that sniffs victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio.

Researchers from Trend Micro spotted a new malware, dubbed BIOPASS, that sniffs the victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio.

Threat actors behind the new malware planted a malicious JavaScript code on support chat pages of Chinese gambling-related sites to redirect visitors to pages offering the malicious installers.

The new piece of malware was employed in watering hole attacks aimed at online gambling companies in China, hackers compromised the sites to serve a malware loader disguised as a legitimate installer for Adobe Flash Player or Microsoft Silverlight.

The analysis of the loader revealed that it loads either a Cobalt Strike shellcode or a new Python backdoor tracked by the experts as BIOPASS RAT.

BIOPASS RAT implements common RAT features, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. The malware is also able to steal private information from web browsers and instant messaging clients installed on the victim’s device.

The malicious code leverages OBS studio’s RTMP (Real-Time Messaging Protocol) streaming capabilities to record the user’s screen and broadcast it to an attacker’s control panel.

“What makes BIOPASS RAT particularly interesting is that it can sniff its victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via Real-Time Messaging Protocol (RTMP). In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud (Aliyun) to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims.” reads the report published by Trend Micro.

According to Trend Micro, the BIOPASS RAT could be linked to the Chinese Winnti APT group (aka APT41).

Experts noticed that multiple BIOPASS RAT loader binaries were signed with two valid certificates likely stolen from game studios from South Korea and Taiwan, a tactic that was previously associated with cyberespionage campaigns conducted by the Winnti Group to sign its malware.

This would fit into the group’s modus operandi since APT41 has been known to engage in cyber-espionage operations during their regular work hours and then carry out financially motivated attacks against online gaming companies across Southeast Asia for personal profits. Experts also spotted a server-side variant of the Derusbi malware sample, which is part of Winnti’s arsenal, that was signed with one of the stolen certificates.
Experts found an interesting Cobalt Strike loader that has a PDB string that connects to the C&C server that has been mentioned in a recent report related to a campaign attributed to the Winnti Group.

“BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts. It possesses many features, such as the ability to use scheduled tasks as a method of maintaining persistence in the infected system.  The malware abuses publicly available tools and cloud services for its malicious behavior.” concludes the report published by Trend Micro that includes the Indicators of Compromise (IoCs). “Notably, a large number of features were implemented to target and steal the private data of popular web browsers and instant mes\sengers that are primarily used in Mainland China.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT41)

[adrotate banner=”5″]

[adrotate banner=”13″]