Security Intelligence -
Researchers discovered a new attack campaign targeting online gambling companies in china with one of two malware payloads. In one scenario detected by Trend Micro, the campaign dropped a previously undocumented backdoor written in python. The security firm dubbed this threat ‘BIOPASS rat’ (for remote access trojan). In addition, they discovered it was spread in conjunction with the Cobalt Strike malware. Read on to learn about a unique attempt that BIOPASS uses to sniff a victim’s screen.
The Novel Features of BIOPASS
The campaign begins with a watering hole attack, where attackers compromise a website by placing an injection script into a target’s online chat support page. From there, they could load either the BIOPASS RAT or Cobalt Strike.
First, the injection script scans for signs of existing infection. Next, it replaces the real page’s content with a page that displays an error message. This message instructs them to download an updated version of either Adobe Flash Player or Microsoft Silverlight. Both programs are already deprecated.
Each installer downloads the real application. However, it also creates scheduled tasks for the