KEY POINTS

  • A new sophisticated RAT called BIOPASS was recently discovered
  • It piggybacks on Adobe Flash and Microsoft Silverlight installers to get into the system
  • There is no definite attribution on the group behind BIOPASS

A new malware that uses a popular live-streaming software to record and broadcast the screen of unwitting victims is being talked about.

Cybersecurity researchers at Trend Micro discovered a new and innovative malware classified as a remote access Trojan (RAT). Known as BIOPASS, this malware rides inside installers for Microsoft Silverlight and Adobe Flash Player. The report detailed that these malicious Silverlight and Flash installers load the complex RAT implemented as Python scripts.

Cybersecurity researchers believe BIOPASS is not like the typical RAT. "What makes BIOPASS RAT particularly interesting is that it can sniff its victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via Real-Time Messaging Protocol (RTMP)," said Trend Micro cybersecurity researchers. Hackers A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin, May 21, 2013. Photo: REUTERS/Pawel Kopczynski

This new malware has all the features seen in remote access trojans. It can also assess the file system, execute remote desktop access, do file extraction, take screenshots and execute shell commands. Moreover, it downloads FFmpeg, which is needed to record, convert and stream video and audio. It also downloads the Open Broadcaster Software needed for video recording and live streaming.

Malicious actors can use either of the two frameworks to track the desktop of the infected system. They can also stream videos to the cloud, which enables them to watch the feed in real-time via the BIOPASS control panel. Cybersecurity researchers also discovered that the script retrieving BIOPASS monitors if the visitor has been infected. If not, it is injected into the target site's online support chat page.

According to Trend Micro, "If the script confirms that the visitor has not yet been infected, it will then replace the original page content with the attackers’ own content. The new page will show an error message with an accompanying instruction telling website visitors to download either a Flash installer or a Silverlight installer, both of which are malicious loaders."

Adobe already gave up Flash Player in 2020 and continues blocks running Flash content since January  2021. The company also encourages users to remove the app on their devices because of high-security risks. Microsoft did the same and promised to end support for SilverLight in October of this year. 

Trend Micro admitted that there is no definite attribution on the group behind the BIOPASS RAT. However, its cybersecurity researchers discovered several pieces of evidence linking the malware to the alleged Chinese state-sponsored actors known as Winnti or APT41.