Researchers Found New Malware "T9000" That Allow To Steal Files And Record Skype Conversations.

Researchers Found New Malware "T9000" That Allow To Steal Files And Record Skype Conversations.

A well-equipped new Trojan came that contained many features by which it can easily steal any files, can take screengrabs, and even record Skype conversations. 

This new Trojan is T9000 which is an extension of previous backdoor version T5000 that affect wildly in 2013 and 2014 by targeting so many automobile industries, governments sites in Asia-Pacific region.

Researcher of Palo Alto Networks spotted this Trojan(T9000) inside of a phishing emails received by US organizations, but it is too versatile that it can be used by the attacker to achieved their target. To get the foothold on the user's PC T9000 infect computers via malicious RTF files that exploit the CVE-2012-1856 and CVE-2015-1641 vulnerabilities.

If we compared it with the older versions, then T9000 is more complicated. Those researchers who have examined this they told that we need a lot of effort into avoiding detection. T9000 has many features some of them are:

A multi-stage installation process.

24 security products that include (Tencent, Sophos, Avira, INCAInternet, AVG,  Baidu, Comodo, GData,  BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, DoctorWeb,  Kaspersky, Rising, TrustPortAntivirus, and Qihoo 360).

Once this Trojan gets installed, it will allow firstly to collect information from the user's infected system and then sending to the C&C server. After that specific modules to each and every target will send by the C&C server. The specific modules based on the information that the C&C server received.

Palo Alto researchers have found three main modules that are responsible for most of the backdoor's damage.

The first module (tyeu.dat) which can easily spy on Skype conversations. When this module get installed on the infected system, whenever the user will start Skype, a message appear on the top displaying "explorer.exe wants to use Skype". And those that click on the link, they are providing the T9000 permissions to spy on them any it can steal data from user's system also. This module also provides the access to record both audio and video conversations, along with text chats, while also taking regular screenshots of video calls.

The second module (vnkd.dat) that allow malware's author to steal files from the user's computer. It can take data in the form of a doc, ppt, xls, docx, pptx, and xlsx extensions from local removable storage devices.

Third module (qhnj.dat) that allows the C&C server to send commands to each and every computer and tell T9000 to do the following commands:

>> Create files & directories.

>> Delete files&directories.

>> Move files&directories.

>> To encrypt data.

>> To copy the user's clipboard.

Palo Alto researchers explained that:

In December, the same Admin@338 APT was also linked to a malware distribution campaign that was using Dropbox accounts to host its C&C servers.

Execution Flaw T9000