15th July 2021, Kathmandu
We know that we found the latest malware and our aim is to target online gambling companies in China it is related to a watering hole attack, when the visitors are trick then they are started to download a malware loader disguised as a legitimate installer for well-known apps like Adobe Flash Player, Microsoft Silverlight.
Near examination of the loader display that and it loads either a previously undocumented which is written in python or a Cobalt Strike shellcode backdoor, the latest kind of malware which we get and that’s name is BIOPASS RAT (remote access trojan).
We know in the BIOPASS RAT they have main features which are found in other malware, like file system assessment, remote desktop access, file exfiltration, and shell command execution.
It also has the ability to deal with the personal information of its victims by stealing web browser and instant messaging client data.
The BIOPASS RAT is especially interesting because it can sniff its victim’s screen by abusing the framework of Open Broadcaster Software(OBS) Studio, a video recording app and favorite or well-liked live streaming, to establish live streaming in a cloud service via Real-Time Messaging Protocol (RTMP).
In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud(Aliyun) to host the BIOPASS RAT Python scripts as well as to keep and store the exfiltrated data from victims.
BIOPASS RAT is still being actively developed. Some example, just a Few markers that we discovered in the analysis time refer to different versions of RAT code, such as “V2” or “BPSV3”.
There are a lot of the loaders that we found and they were used to load Cobalt Strike shellcode by default instead of the BIOPASS RAT malware.
Furthermore, BIOPASS RAT also makes a timetable for tasks it is easy to load the Cobalt Strike shellcode during the initialization, indicating that the malicious actor behind the attack still stiffly relies on Cobalt Strike.
We also found many clues that display how the malware might be added with the Winnti Group(also known as APT41).
