The internet is abuzz with news about a new backdoor Trojan that is equipped with such advanced features that it can steal files, capture screenshots and record Skype conversations.
The Trojan T9000 is an evolved and more advanced version of the older T5000 backdoor Trojan. T5000 was identified in 2013 and again in 2014 and targeted the automotive industry, human rights activists and Asia Pacific governments.
T9000 Trojan has been spotted by Palo Alto Networks researchers, who claim that it is embedded inside those spear phishing emails that are sent to organizations in the US. However, researchers believe that this new backdoor malware is so versatile that it can be used against any entity that the hackers wish to compromise.
The computers are getting affected by this malware through the malicious RTF files, which exploit the CVE-2012-1856 and CVE-2015-1641 vulnerabilities to acquire control over the targeted PC.
In comparison to T5000, T9000 is much more complex and security researchers who have analyzed it, claim that this time around the malware’s authors has put in a lot of efforts in making the Trojan undetectable.
The Trojan involves a multi-stage installation procedure; before the beginning of every phase, the malware checks for any installed analysis tools and/or the 24 most common and reliable security products on the targeted PC. The security products that this Trojan checks include: “Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPortAntivirus, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising, and Qihoo 360.”
After checking everything, the malware gets itself installed and conducts internal verifications. It then collects information stored on the infected system and sends it to the command and control server.
Once the computer has been infected, identified and recorded, the command and control server sends specific modules to the targeted device according to the information that can be stolen.
In fact, Palo Alto researchers assume that most of the damages caused to a system by T9000 are prompted by three main modules. As per their analysis, out of the three, the tyeu.dat is the most important module because it spies upon Skype conversations.
When this module is downloaded and executed, the user will receive this message “explorer.exe wants to use Skype,” the very next time he/she starts Skype as shown in screenshot below:
The reason behind the appearance of this message is that the malware taps into the Skype API and this notification are displayed at the top. So, if the users click on the allow button and agrees that the “explorer.exe” can interact with Skype this gives T9000 permission to spy on Skype activities of the user.
T9000’s Skype spying module is so powerful that it records audio and video communications as well as text chats and takes screenshots of video calls regularly. Moreover, it can also steal data and other files from Skype conversations.
Vnkd.dat is the second module of the T9000, which gets loaded when the perpetrator of the malicious malware campaign needs to steal files from the computer. It can also steal data from local removable storage devices that contains these extensions: “doc, ppt, xls, docx, pptx, and xlsx.”
However, the third one is the most innocuous module among all, which is the qhnj.dat module. This module allows the command and control server to send commands to every targeted computer and instruct T9000 to generate files and directories, remove/delete files and directories and also move files and directories, encrypt data and get the user’s clipboard copied.
The extensiveness of this malware is explained by Palo Alto researchers:
“The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community.”
Apparently, T9000 is a professional cyber-espionage tool. Previously, the T5000 was linked to an APT Admin@338, the traces of which were found in Chinese government’s cyber-army. In December 2015, Admin@338 APT was also identified to have prompted a malware distribution campaign in which Dropbox accounts were used to host its command and control servers.