A new malware that’s striking online gambling companies in China via a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio’s live-streaming app to capture the screen of its victims to attackers.

The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular-but-deprecated apps such as Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads.

Specifically, the websites’ online support chat pages are booby-trapped with malicious JavaScript code, which is used to deliver the malware to the victims.

BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. It also has the ability to compromise the private information of its victims by stealing web browser and instant messaging client data.

Besides featuring an array of capabilities that run the typical spyware gamut, BIOPASS is equipped to establish live streaming to a cloud service under the attacker’s control via Real-Time Messaging Protocol (RTMP), in addition to communicating with C2 server using the Socket.IO protocol.

The malware, which is said to be under active development, is also notable for its focus on stealing private data from web browsers and instant messaging apps chiefly popular in Mainland China, including QQ Browser, 2345 Explorer, Sogou Explorer, and 360 Safe Browser, WeChat, QQ, and Aliwangwang. This is believed that Winnti Group is in action

BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts.”Given that the malware loader was delivered as an executable disguised as a legitimate update installer on a compromised website,it is recommended to download apps only from trusted sources and official websites to avoid being compromised.”