Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Backdoor Uses FFmpeg Application to Spy on Victims

A recently observed feature-rich backdoor is capable of spying on its victim’s activities by recording full videos with the help of the “FFmpeg” application, Malwarebytes warns.

A recently observed feature-rich backdoor is capable of spying on its victim’s activities by recording full videos with the help of the “FFmpeg” application, Malwarebytes warns.

Detected as Backdoor.DuBled and written in .NET, the malware is distributed through a JS file containing an executable that installs itself under a random. To achieve persistence, the threat uses a run key, while also dropping a copy of itself in the startup folder.

The threat downloads the legitimate applications Rar.exe and ffmpeg.exe, along with related DLLs (DShowNet.dll and DirectX.Capture.dll) and uses them for its nefarious operations, the security researchers reveal.

FFmpeg is described by its developers as a “complete, cross-platform solution to record, convert and stream audio and video.”

During run, the malware creates unencrypted .tmp files inside its installation folder, containing keystrokes and logging the running applications. It was also observed closing and deleting some applications from the compromised machine, including ProcessExplorer and baretail.

Communication with the command and control (C&C) server is performed over TCP using port 98. Initial beaconing is performed by the server via a command “idjamel,” to which the threat responds with basic information about the victim machine, such as name/username, operating system, and a list of running processes.

Next, the server sends the configuration, which includes a list of targeted banks which the malware saves the list to registry. The C&C also sends a set of Base64 encrypted PE files, including non-malicious helper binaries, and a URL to download the FFmpeg application (but the link points to a dummy page when accessed).

The analyzed sample was packed with the help of CloudProtector, which decrypts the payload using a custom algorithm and a key supplied in the configuration. The decrypted executable is then loaded in memory using process hollowing (or the RunPE technique).

Advertisement. Scroll to continue reading.

“The unpacked payload is the layer containing all the malicious features. It is not further obfuscated, so we can easily decompile it and read the code,” Malwarebytes explains.

The threat was designed to spy on users and backdoor the infected machines. It can record videos using the FFmpeg application, snap screenshots, and log keystrokes. The video recording event is triggered when the victim accesses a site related to online banking, which clearly reveals the final purpose of the threat’s authors: to spy on victims’ banking activities.

Recorded videos are sent to the C&C encoded in Base64, while the screenshots (saved as JPG) and captured logs are periodically compressed using the RAR application, and then sent to the server.

The malware can also enumerate opened windows and can disable anti-malware applications. What’s more, the bot’s functionality can be expanded with the help of plugins, which it downloads from the C&C.

Two of the plugins the malware downloaded during analysis provided it with capabilities typical for a RAT: processmanager.dl (written in 2015), and remotedesktop.dll (written in 2016). The latter plugin was obfuscated, although the main malware module and the former plugin weren’t.

“This malware is prepared by an unsophisticated actor. Neither the binary nor the communication protocol is well obfuscated. The used packer is well-known and easy to defeat. However, the malware is rich in features and it seems to be actively maintained. Its capabilities of spying on the victim and backdooring the attacked machine should not be taken lightly,” Malwarebytes concludes.

Related: Hackers Are Using NSA’s DoublePulsar Backdoor in Attacks

Related: APT29 Uses Stealthy Backdoor to Maintain Access to Targets

Related: Turla Group Improves Carbon Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.