Trend Micro discovered a new malware that targets online gambling companies in China via a watering hole attack, in which visitors are tricked into downloading a malware loader disguised as a legitimate installer for well-known apps such as Adobe Flash Player or Microsoft Silverlight. Closer examination of the loader shows that it loads either a Cobalt Strike shellcode or a previously undocumented backdoor written in Python, a new type of malware named BIOPASS RAT (remote access trojan). BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data. What makes BIOPASS RAT particularly interesting is that it can monitor its victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via Real-Time Messaging Protocol (RTMP). In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud (Aliyun) to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims.
Always make sure to download installers for software from legitimate sources, and check if it is signed by the software vendor it should be. If there is a checksum provided with the download, verify that the file matches it. Watering hole attacks involve compromising legitimate websites and having them serve malicious content, so be sure to verify even if it is downloaded from a website you trust.