Malware abuses OBS live-streaming software to record victims’ screens
Image: The Record
Catalin Cimpanu July 11, 2021

Malware abuses OBS live-streaming software to record victims’ screens

Malware abuses OBS live-streaming software to record victims’ screens

  • Trend Micro discovers new BIOPASS RAT malware in attacks against Chinese gambling site users.
  • BIOPASS uses OBS Studio software to broadcast victims' screen to the attackers.
  • Links have been found between BIOPASS and a Chinese espionage group known as Winnti/APT41.

Security researchers have uncovered a new malware strain that uses the popular OBS Studio live-streaming app to record and broadcast the screen of its victims to attackers.

Named BIOPASS, this malware is a remote access trojan (RAT) coded in Python that was spotted in recent attacks targeting online gambling companies in China.

Discovered by security firm Trend Micro, the RAT has been disguised inside legitimate installers for Adobe Flash Player or Microsoft Silverlight, two technologies that are still being used in China, despite reaching EOL (end-of-life).

According to a report published last week, malicious JavaScript code planted by attackers on the tech/chat support pages of Chinese gambling-related sites redirected users to pages offering would-be victims tainted installers.

Those who installed the malicious Flash and Silverlight apps would install a legitimate version of the software, but also the BIOPASS RAT, which granted attackers full control over their systems.

BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data.

Trend Micro

But while BIOPASS looks like any other RAT, it also comes with a new feature not seen in any other malware strain—namely, it installs the OBS Studio software on victims’ systems.

Per Trend Micro, the attackers use OBS Studio’s RTMP (Real-Time Messaging Protocol) streaming capabilities to record the user’s screen and broadcast it to an attacker’s control panel.

BIOPASS RAT control panel login
BIOPASS RAT control panel login
Image: Trend Micro

It is currently unclear who is behind this malware strain; however, Trend Micro said it found several clues linking the BIOPASS malware to a group of Chinese state-sponsored hackers known as Winnti or APT41.

This would fit into the group’s modus operandi since APT41 has been known to engage in cyber-espionage operations during their regular work hours and then carry out financially motivated attacks against online gaming companies across Southeast Asia for personal profits.

However, while the clues were there, Trend Micro has not made any formal link just yet.

One particularly interesting detail was the fact that a large number of BIOPASS’ features were implemented to target and steal the private data of popular web browsers and instant messengers typically used in mainland China, which would suggest this was an operation targeted at local Chinese entities, something that might get a state-sponsored actor like APT41 in hot water with their handlers.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.