A new sophisticated Skype malware that can spy on and record victims’ Skype calls, video and text chats, all the while evading detections by 24 leading computer security and anti-virus products has been discovered by Researchers at Palo Alto Networks
The Trojan-grade malware, dubbed T9000, is a new twist on the T5000 malware that made its rounds in 2014 . Because of its ability to stealthily avoid detection, researchers at Palo Alto Networks are calling it an active “backdoor” to Skype.
The T9000 infection begins as a classic email phishing attack, getting its hooks into victims’ computers after they open an infected Rich Text Format (RTF) files. Once the file is open two powerful exploits begin doing their dirty work. T9000 installation and attack is multi-stage. Only one instance of the malware is run at a time which allows the malicious program to do a thorough search of the of the users’ computer, checking if any of 24 leading security products are present . If any are discovered, the malware then alters the way it loads in order to evade detection by the present security software, Palo Alto Network’s Intelligence Director, Ryan Olson told iDigitalTimes.
“T9000 searches through the Windows registry to look for indications that one of the 24 listed security products are installed,” Olson said. “In the event certain conditions are met, such as a specific version of Microsoft Windows running with specific security products, the malware will install itself and/or load using different techniques.”
The fact that the malware can detect security products and alter its behavior to avoid detection makes T9000 one of the more sophisticated forms of malware the company has seen.
“The malware author(s) took great lengths to determine what works and doesn’t work in different victim environments,” Olsen said.
The T9000 malware is in the same family of T5000 malware detected in 2014. That particular malware was transmitted via poisoned files sent to Malaysian government departments’ emails. The files allegedly contained a news story reporting that the Malaysian Airlines Flight MH370 had been found, but instead contained the T5000 malware. Those attacks were linked to a cyber espionage group suspected to have Chinese government backing.
Though the creators of the T9000 Trojan are unknown, the goal of the malware is clear: collect information about targeted victim via compromised Skype connections. Once the malware is active, all the information gathered via Skype is stored in a directory called "Intel," which attackers can later mine for data.
According to Palo Alto researchers, T9000 has been found in several targeted attacks against organizations in the US, but its capabilities are not limited to just US victims or Skype users. In the future, T9000 could bleed over into other applications.
“The malware family itself is created in a very modular fashion,” said Olsen. “The Skype-specific targeting was witnessed in one of three plugins that are dropped in this particular instance. The other plugins included allowed the malware to extract files from removable media, such as flash drives, and to monitor actions performed by the victim. It is likely that other plugins also exist for T9000, which can be deployed after the malware is installed on a victim’s machine. This modular approach allows the attackers behind T9000 to adapt and certainly target other applications as well.”
