BIOPASS RAT Spread Through Compromised Gambling Sites
An unknown threat actor is using a new Python-based payload to target users of Chinese gambling sites. The malware is being spread via fraudulent messages and pop-ups, which show up on legitimate gambling sites – this means that the cybercriminals have managed to somehow penetrate the security of these websites. It is important to add that the fraudulent messages usually show up when the user tries to access the live support section of the compromised websites – this might be the exact component whose security has been breached.
Watch out for Flash Player and Silverlight Prompts - It Might be the BIOPASS RAT
Users of the compromised sites may see an alert saying that they need to download an update for Adobe Flash Player or Microsoft Silverlight – apps that are now deprecated. However, instead of a legitimate installer, users end up fetching a copy of the dangerous BIOPASS RAT. This Remote Access Trojan (RAT) packs a lot of features, including a very surprising component that streams the compromised computer's screen to attackers.
BIOPASS RAT, naturally, has features typical for Trojans of this sort. Its operators can access and modify the file system, execute remote commands, steal files, grab screenshots, and more. The surprising part, however, is the usage of Open Broadcaster Software (OBS) – a piece of software meant for live streaming and video recording. Surprisingly, the criminals are using the legitimate software package to set up a live stream of the compromised system's screen. On top of this, BIOPASS RAT can hijack data from Web browsers and software popular in China – 2345 Explorer, Sogou Explorer, QQ Browser, 360 Chrome, and others.
Last but not least, BIOPASS RAT enables its attackers to inject HTML and JavaScript resources into the websites that the user browses. This might be used to execute a very stealthy man-in-the-middle attack that steals login credentials or other information. Although the exact perpetrators of the BIOPASS RAT are not identified, researchers suspect that the Winnti hackers might be behind this campaign and payload.