New RAT Uses OBS Studio Streaming App Record Screens Victims’ Devices

New RAT Uses OBS Studio Streaming App Record Screens Victims' Devices

Researchers found RAT in legitimate Adobe Flash Player and Microsoft Silverlight installers.

Trend Micro has discovered new malware that uses the popular OBS Studio streaming application to record the victim’s device screen and transmit it to attackers.

BIOPASS is a Python Remote Access Trojan (RAT) used in recent attacks on Chinese online casinos. Researchers found RAT in legitimate installers for Adobe Flash Player and Microsoft Silverlight, which, despite their expiration date, are still in use in China.

As the researchers explained, the hackers injected a JavaScript code into the online casino support pages that redirected potential victims to pages with installers containing malware. Along with the original Flash and Silverlight applications, the BIOPASS Trojan was also downloaded, giving cybercriminals complete control over the infected system.

Although BIOPASS is similar to all other RATs, it has unique features that are not found in other malware, in particular, it installs OBS Studio on the attacked system. According to experts, attackers need the RTMP (Real-Time Messaging Protocol) streaming protocol used in the application to record the victim’s device screen and transmit it to the hackers’ control panel.

Who is behind BIOPASS is currently unknown, but the researchers were able to find several facts indicating the Trojan’s connection with the group of Chinese “state” hackers Winnti (also known as APT41). The researchers’ assumptions look quite plausible, since APT41 is well known for conducting cyber espionage operations during “working” hours, and in his free time does not hesitate to cyber attacks on gaming companies in Southeast Asia for financial gain.

Interestingly, a large number of BIOPASS functions are aimed at stealing data from popular browsers and messengers used in mainland China.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply