Researchers have found new Trojan malware that can record the audio, video and text communications of Skype users and steal the files on their affected devices. It’s a new variant of the T5000 malware family which was linked to cyber-espionage activities allegedly by the Chinese government.
The entire execution flow of the malware (from Palo Alto Networks)
The T9000 can find a way onto a user’s computer through malicious RTF files. It will launch a multi-stage installation process where it checks for installed security products on the affected computer and finds a way to bypass them. The malware then piggy backs off a legitimate Windows executable, dropping files into the victim’s computer to steal specific types of personal information and files.
For Skype users, the malware will present them with a dialogue box that says “Explorer.exe wants to use Skype (Allow/Deny)”. Once allowed, it will record video calls, audio calls and chat messages and forward them into the cybercriminal who executed the attack.
The malware can also take screenshots of the victim’s desktop. All of these functions have been tested and confirmed by Palo Alto Networks researchers who discovered the existence of the T9000.
“The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community,” Palo Alto Networks said in a blog post about the T9000. The malware is particularly advanced given that it can adapt to different situations to ensure that it makes its way onto a targeted PC.
You can see a detailed breakdown of the T9000 malware, including the convoluted installation process it goes through to hijack computers, over at Palo Alto Networks’ blog.
[Via Palo Alto Networks Research Center]