[MART] - Daily Diary #302 - New RAT BIOPASS Uses OBS Studio To Stream Their Target's Screen

CTAS-MAT ctas-mat at appgate.com
Mon Jul 12 22:38:44 UTC 2021 

Hello,
I hope everyone is doing well!

Below is the entry for today.

07/12/2021 - Diary entry #302:

This week a new Remote Access Trojan was disclosed. Named BIOPASS, the malware is a RAT/Backdoor written in Python. The malware capabilities include the basic toolkit on this type of trojan, including file exfiltration, shell command execution and the ability to drop other malware samples. The malware can also stream the computer screen to the attacker, abusing the open-source software OBS Studio. OBS Studio is software used for video recording and live streaming, commonly used by streamers on Twitch and YouTube. The malware also communicates with the C2 server using the Socket.io protocol.

BIOPASS was found in a recent "watering hole" attack, targeting Chinese online gambling companies. The attackers compromised gaming websites, injecting malicious Javascript in the page. The injected code creates fake alerts for popular (although deprecated) apps, such as Adobe Flash and Microsoft Silverlight. Upon clicking the alert, it downloads a fake installer, dropping the malware in the system. BIOPASS seems to be in a development stage, as some of its features, including the C2 communication, are very simple and easy to detect. In this attack-chain specifically, both BIOPASS and Cobalt Strike beacons were found, showing that the attackers still do not fully rely on it.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210712/6cebfdb3/attachment.html>

More information about the MART mailing list