Jump to content

Recommended Posts

Posted

37fd09cc352c49d9e736df9477017460.png

 

A new backdoor trojan is making the rounds, coming equipped with features that allow it to steal files, take screengrabs, and record Skype conversations.

 

The trojan, named T9000, is an evolution of an older backdoor called T5000, spotted in the wild in 2013 and 2014 targeting human rights activists, the automotive industry, and governments in the Asia-Pacific region.

 

This time around, Palo Alto Networks researchers say T9000 has been spotted inside spear phishing emails received by US organizations, but that it is versatile enough to be used against any target the attacker wants to compromise.

 

The malware is infecting computers via malicious RTF files that exploit the CVE-2012-1856 and CVE-2015-1641 vulnerabilities to get a foothold on the user's PC.

 

A lot of effort was put into avoiding detection

 

Compared to its earlier version, T9000 is a lot more complicated.

Security researchers that have examined its make-up say the malware's authors put a lot of effort into avoiding getting detected.

 

T9000 features a multi-stage installation process, which checks before each phase for the presence of malware analysis tools and 24 security products such as Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPortAntivirus, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising, and Qihoo 360.

 

If everything checks out, and the internal verifications go through, after installing itself, the malware will first collect information on the infected system and send it to a C&C server so it can mark the target and distinguish between each victim.

 

Three main modules are responsible for most of the backdoor's damage

 

After each infected computer was identified and recorded, the C&C server will send specific modules to each target, based on the information it found it can steal. Palo Alto researchers have identified three main modules.

 

The most important module (tyeu.dat) is responsible for spying on Skype conversations. As soon as the module is downloaded and launched into execution, the next time the user starts Skype, a message will appear at the top of their window saying "explorer.exe wants to use Skype."

 

e0d701bb16bf7a2e5cd6577a24721e6e.png

 

This message is shown because the backdoor taps into the Skype API and shows this notification at the top. Users who agree to allow "explorer.exe" to interact with Skype are actually giving T9000 permission to spy on them.

 

T9000's Skype module can record both audio and video conversations, along with text chats, while also taking regular screenshots of video calls.

 

T9000 can also steal other files, not just data from Skype conversations

 

The second T9000 module is vnkd.dat, and this module is loaded only when the malware's author wants to steal files from the user's computer. Support is included for taking data from local removable storage devices with extensions such as doc, ppt, xls, docx, pptx, and xlsx.

 

The most innocuous module of them all (if we can say that) is qhnj.dat, which allows the C&C server to send commands to each computer and tell T9000 to create files&directories, delete files&directories, move files&directories, encrypt data, and copy the user's clipboard.

 

"The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community," Palo Alto researchers explained. This means this is a professional tool used in cyber-espionage. Previous reports have linked T5000 to an APT named Admin@338, related to China's unofficial cyber-army.

 

Back in December, the same Admin@338 APT was also linked to a malware distribution campaign that was using Dropbox accounts to host its C&C servers

 

19c7a07c63b1d82e84b6d132147f588a.png

 

 

 

Source:

http://news.softpedia.com/news/t9000-backdoor-malware-targets-skype-users-records-conversations-500018.shtml

76c90dd0e79a714317a8daeecc1584d2.png

  • FPCH Admin
Posted
e0d701bb16bf7a2e5cd6577a24721e6e.png

 

This message is shown because the backdoor taps into the Skype API and shows this notification at the top. Users who agree to allow "explorer.exe" to interact with Skype are actually giving T9000 permission to spy on them.

 

This is very sneaky. I know a lot of people that wouldn't think twice about allowing this.

Thanks, Pete!

~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~

~~Robert McCloskey~~

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...