T9000 Backdoor Malware Targets Skype Users, Records Conversations
Skype users should beware of a new backdoor trojan that steals files, takes screengrabs, and records Skype conversations. The trojan which is named as T9000 is a hybrid version of a older T5000 which was spotted in the wild two years ago. The T9000 specifically targets human rights activists, the automotive industry, and governments in the Asia-Pacific region.
Security researchers Palo Alto Networks spotted T9000 inside spear phishing emails received by US organizations. However, the researchers say that T9000 is versatile enough to be used against any target the attacker wants to compromise.
The researchers noted that T9000 targets computers through malicious RTF attachment in an email This RTF attachment exploits the CVE-2012-1856 and CVE-2015-1641 vulnerabilities to get a foothold on the victim’s PC.
Compared to its earlier version, T9000 is much complex and special efforts have been made to avoid getting detected. T9000 features a multi-stage installation process, which checks before each phase for the presence of malware analysis tools and 24 security products such as Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPortAntivirus, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising, and Qihoo 360.
If everything checks out, and the internal verifications go through, after installing itself, the malware will first collect information on the infected system and send it to a C&C server, so it can mark the target and distinguish between each victim. The C&C server will than send specific set of instruction based on the information that resides in the victim’s PC.
Palo Alto researchers have identified three main modules.
The first and most important module, tyeu.dat is responsible for spying on Skype conversations. As soon as the module is downloaded and launched into execution, the next time the user will start Skype, a message will appear at the top of his window saying “explorer.exe wants to use Skype.”
T9000 message shown to Skype users
This message is shown because the backdoor taps into the Skype API and shows this notification at the top. Once the victim presses ‘Allow access’ the malware can than freely spy on him/her. T9000’s Skype module can record both audio and video conversations, along with text chats, while also taking regular screenshots of video calls.
The second T9000 module is vnkd.dat, and this module is loaded only when the malware’s author wants to steal files from the user’s computer. Support is included for taking data from local removable storage devices with extensions such as doc, ppt, xls, docx, pptx, and xlsx.
The third module qhnj.dat, is the most dangerous of the three. It allow C&C server to send commands to each computer and tell T9000 to create files&directories, delete files&directories, move files&directories, encrypt data, and copy the user’s clipboard.
Palo Alto
researchers indicated that the author of the malware seemed a thorough professional, “The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community.”
Microsoft stated that now its security program, Windows Defender identifies and quarantines T9000 trojan. Microsoft spokesperson reached out to us with a emailed statement :
“To further protect our customers, we’ve added detection for the malicious software known as ‘T9000’ to Windows Defender. Customers that have installed security updates released in 2012 (MS12-060) and 2014 (MS14-033), either manually or by enabling automatic updates, will already be protected. Our recommendation is to enable automatic updates, which installs the latest security protections, and use the latest version of Skype.”
As such all Skype users are advised to update their Windows Defender to protect their Skype conversations from being spied upon.
