Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Backdoor Uses FFmpeg Application to Spy on Victims

A recently observed feature-rich backdoor is capable of spying on its victim’s activities by recording full videos with the help of the “FFmpeg” application, Malwarebytes warns.

A recently observed feature-rich backdoor is capable of spying on its victim’s activities by recording full videos with the help of the “FFmpeg” application, Malwarebytes warns.

Detected as Backdoor.DuBled and written in .NET, the malware is distributed through a JS file containing an executable that installs itself under a random. To achieve persistence, the threat uses a run key, while also dropping a copy of itself in the startup folder.

The threat downloads the legitimate applications Rar.exe and ffmpeg.exe, along with related DLLs (DShowNet.dll and DirectX.Capture.dll) and uses them for its nefarious operations, the security researchers reveal.

FFmpeg is described by its developers as a “complete, cross-platform solution to record, convert and stream audio and video.”

During run, the malware creates unencrypted .tmp files inside its installation folder, containing keystrokes and logging the running applications. It was also observed closing and deleting some applications from the compromised machine, including ProcessExplorer and baretail.

Communication with the command and control (C&C) server is performed over TCP using port 98. Initial beaconing is performed by the server via a command “idjamel,” to which the threat responds with basic information about the victim machine, such as name/username, operating system, and a list of running processes.

Next, the server sends the configuration, which includes a list of targeted banks which the malware saves the list to registry. The C&C also sends a set of Base64 encrypted PE files, including non-malicious helper binaries, and a URL to download the FFmpeg application (but the link points to a dummy page when accessed).

The analyzed sample was packed with the help of CloudProtector, which decrypts the payload using a custom algorithm and a key supplied in the configuration. The decrypted executable is then loaded in memory using process hollowing (or the RunPE technique).

“The unpacked payload is the layer containing all the malicious features. It is not further obfuscated, so we can easily decompile it and read the code,” Malwarebytes explains.

The threat was designed to spy on users and backdoor the infected machines. It can record videos using the FFmpeg application, snap screenshots, and log keystrokes. The video recording event is triggered when the victim accesses a site related to online banking, which clearly reveals the final purpose of the threat’s authors: to spy on victims’ banking activities.

Recorded videos are sent to the C&C encoded in Base64, while the screenshots (saved as JPG) and captured logs are periodically compressed using the RAR application, and then sent to the server.

The malware can also enumerate opened windows and can disable anti-malware applications. What’s more, the bot’s functionality can be expanded with the help of plugins, which it downloads from the C&C.

Two of the plugins the malware downloaded during analysis provided it with capabilities typical for a RAT: processmanager.dl (written in 2015), and remotedesktop.dll (written in 2016). The latter plugin was obfuscated, although the main malware module and the former plugin weren’t.

“This malware is prepared by an unsophisticated actor. Neither the binary nor the communication protocol is well obfuscated. The used packer is well-known and easy to defeat. However, the malware is rich in features and it seems to be actively maintained. Its capabilities of spying on the victim and backdooring the attacked machine should not be taken lightly,” Malwarebytes concludes.

Related: Hackers Are Using NSA’s DoublePulsar Backdoor in Attacks

Related: APT29 Uses Stealthy Backdoor to Maintain Access to Targets

Related: Turla Group Improves Carbon Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.