Published on February 8th, 2016 📆 | 5671 Views ⚑0
New Malware Targets Skype Users, Saves Screenshots, Records Conversations
THE INTERNET IS ABUZZ WITH NEWS ABOUT A NEW BACKDOOR TROJAN THAT IS EQUIPPED WITH SUCH ADVANCED FEATURES THAT IT CAN STEAL FILES, CAPTURE SCREENSHOTS AND RECORD SKYPE CONVERSATIONS.
The Trojan T9000 is an evolved and more advanced version of the older T5000 backdoor Trojan. T5000 was identified in 2013 and again in 2014 and targeted the automotive industry, human rights activists and Asia Pacific governments.
T9000 Trojan has been spotted by Palo Alto Networks researchers, who claim that it is embedded inside those spear phishing emails that are sent to organizations in the US. However, researchers believe that this new backdoor malware is so versatile that it can be used against any entity that the hackers wish to compromise.
The computers are getting affected by this malware through the malicious RTF files, which exploit the CVE-2012-1856 and CVE-2015-1641 vulnerabilities to acquire control over the targeted PC.
In comparison to T5000, T9000 is much more complex and security researchers who have analyzed it, claim that this time around the malware’s authors has put in a lot of efforts in making the Trojan undetectable.
The Trojan involves a multi-stage installation procedure; before the beginning of every phase, the malware checks for any installed analysis tools and/or the 24 most common and reliable security products on the targeted PC. The security products that this Trojan checks include: “Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPortAntivirus, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising, and Qihoo 360.”
After checking everything, the malware gets itself installed and conducts internal verifications. It then collects information stored on the infected system and sends it to the command and control server.
Once the computer has been infected, identified and recorded, the command and control server sends specific modules to the targeted device according to the information that can be stolen.
In fact, Palo Alto researchers assume that most of the damages caused to a system by T9000 are prompted by three main modules. As per their analysis, out of the three, the tyeu.dat is the most important module because it spies upon Skype conversations.
When this module is downloaded and executed, the user will receive this message “explorer.exe wants to use Skype,” the very next time he/she starts Skype as shown in screenshot below:
The reason behind the appearance of this message is that the malware taps into the Skype API and this notification are displayed at the top. So, if the users click on the allow button and agrees that the “explorer.exe” can interact with Skype this gives T9000 permission to spy on Skype activities of the user.
T9000’s Skype spying module is so powerful that it records audio and video communications as well as text chats and takes screenshots of video calls regularly. Moreover, it can also steal data and other files from Skype conversations.