Jump to content

T9000 Backdoor Malware Targets Skype Users, Records Conversations


Petrovic

Recommended Posts

A new backdoor trojan is making the rounds, coming equipped with features that allow it to steal files, take screengrabs, and record Skype conversations.

 

The trojan, named T9000, is an evolution of an older backdoor called T5000, spotted in the wild in 2013 and 2014 targeting human rights activists, the automotive industry, and governments in the Asia-Pacific region.

 

This time around, Palo Alto Networks researchers say T9000 has been spotted inside spear phishing emails received by US organizations, but that T9000 is versatile enough to be used against any target the attacker wants to compromise.

 

The malware is infecting computers via malicious RTF files that exploit the CVE-2012-1856 and CVE-2015-1641 vulnerabilities to get a foothold on the user's PC.

 

A lot of effort was put into avoiding detection

Compared to its earlier version, T9000 is a lot more complicated. Security researchers that have examined its make-up say the malware's authors have put a lot of effort into avoiding getting detected.

 

T9000 features a multi-stage installation process, which checks before each phase for the presence of malware analysis tools and 24 security products such as Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPortAntivirus, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising, and Qihoo 360.

 

If everything checks out, and the internal verifications go through, after installing itself, the malware will first collect information on the infected system and send it to a C&C server, so it can mark the target and distinguish between each victim.

 

Three main modules are responsible for most of the backdoor's damage

After each infected computer has been identified and recorded, the C&C server will send specific modules to each target, based on the information it found it can steal. Palo Alto researchers have identified three main modules.

 

The most important module (tyeu.dat) is responsible for spying on Skype conversations. As soon as the module is downloaded and launched into execution, the next time the user will start Skype, a message will appear at the top of his window saying "explorer.exe wants to use Skype."

t9000-backdoor-malware-targets-skype-use

 

This message is shown because the backdoor taps into the Skype API and shows this notification at the top. Users that agree to allow "explorer.exe" to interact with Skype are actually giving T9000 permissions to spy on them.

 

T9000's Skype module can record both audio and video conversations, along with text chats, while also taking regular screenshots of video calls.

 

T9000 can also steal other files, not just data from Skype conversations

The second T9000 module is vnkd.dat, and this module is loaded only when the malware's author wants to steal files from the user's computer. Support is included for taking data from local removable storage devices with extensions such as doc, ppt, xls, docx, pptx, and xlsx.

 

The most innocuous module of them all (if we can say that) is qhnj.dat, which allows the C&C server to send commands to each computer and tell T9000 to create files&directories, delete files&directories, move files&directories, encrypt data, and copy the user's clipboard.

 

"The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community," Palo Alto researchers explained. This means this is a professional tool used in cyber-espionage. Previous reports have linked T5000 to an APT named Admin@338, linked to China's unofficial cyber-army.

Article source

 

 

Link to comment
Share on other sites


  • Views 388
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...