BIOPASS RAT Malware Targets Its Victims via Watering Hole Attacks

Keep up to date with latest blog posts

Researchers found a new RAT (Remote Access Trojan) named BIOPASS that uses a watering hole attack to deceive users into downloading a malware loader masqueraded as a legitimate installer for well-known software like Adobe Flash Player or Microsoft Silverlight [1].

Masquerading (MITRE ATT&CK T1036) is a defense evasion technique. Adversaries change features of their malicious artifacts with legitimate and trusted ones, such as code signatures, names and location of malware files, names of tasks and services. After masquerading, malicious artifacts of adversaries such as malware files appear legitimate to users and security controls. Malware downloader payload of BIOPASS RAT disguised as a legitimate installer for well-known applications using their names and icons.

File system assessment, remote desktop connection, data collection from web browsers and instant messaging clients, exfiltrating collected data and files, and shell command execution are basic functionalities of the BIOPASS malware. In addition to these common RAT features, BIOPASS RAT abuses the framework of Open Broadcaster Software (OBS) Studio to sniff the victim's screen and initiate live broadcasting to a cloud service via Real-Time Messaging Protocol (RTMP).

Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used by the Biopass RAT. 

Picus ID

Threat Name

420231

BIOPASS RAT .EXE File Download Variant-1

784483

BIOPASS RAT .EXE File Download Variant-2

726967

BIOPASS RAT .EXE File Download Variant-3

276536

BIOPASS RAT .EXE File Download Variant-4

 

 

 

 

 

 

Other RATs (Remote Access Trojans) Malware in Picus Threat Library

Picus Threat Library consists of 446 threats for Remote Access Trojans / Remote Access Tools, including HabitsRAT, DarkComet, SystemBC, DueDLLigence, TrimBishop, CRAT, ComRAT, Taidoor, NanoCore, Blindingcan, GoldenSpy, Dark Crystal, PoetRAT, Netwire, ZxShell, CrimsonRAT, Loda, JhoneRAT, PyXie, SectopRAT, RevengeRAT, Remcos, Neuvert, NukeSped, Bitter, Ratatouille, Warzone RAT, Proyecto RAT, Imminent RAT, Saefko, Zeroaccess, and PlugX.

References

[1] https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html

Subscribe

Keep up to date with latest blog posts