T9000 Backdoor Can Spy on Your Skype Activity

Hello all Skype users!

PaloAlto Networks discovered the T9000 backdoor that is designed to infect victims’ machines to steal files, take screengrabs, and records Skype conversations.

The researchers believe that the backdoor was developed by skilled professionals due to the evasion technique implemented by the malicious code.

The malware looks like a hybrid variant of another malware dubbed T5000 that was detected in the wild two years ago.

In a blog post PaloAlto Networks said: “In addition to the basic functionality all backdoors provide, T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users. The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed.”

Organisations worldwide were targeted using T9000 and was used in multiple targeted attacks against US organisations. A multistage execution flow is in the backdoor. This starts when victims RTF file that contained exploits for specific vulnerabilities (i.e. both CVE-2012-1856 and CVE-2015-1641).

It checks before for the presence of defense solutions and malware analysis tools including Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPortAntivirus, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising, and Qihoo 360.

T9000 backdoor collects information on the target system at first, and then this is sent to the C&C server, where the control infrastructure sends specific command to the bot based on the characteristic of the infected machine.

Three main plugins in the  T9000 backdoor have been identified by PaloAlto researchers as: tyeu.dat, vnkd.dat and qhnj.dat

tyeu.dat implements the features to spy on Skype conversations. The message “explorer.exe wants to use Skype.” Is shown to the victims when it hooks up onto the Skype API and the module can record both audio and video conversations, spy on text chats and take regular screenshots of video calls.

The vnkd.dat component is loaded to steal files on the infected computer, meanwhile the third module qhnj.dat implements backdoor functionalities to control the local file system (i.e. Create/delete/move, encrypt files and directories, and copy the user’s clipboard).

Happy Skyping !


Source: Akati

Comments are closed.