New research has shed light on the complex operation of the Byakugan malware, initially detected in January.
During a study into a campaign with malware hidden within PDFS, the Fortiguard Labs team has excavated extra insights about the malware. Last Thursday they gave an advisory cladding from Byakugan’s InfoTealer options.
According to the technical description, that of Byakugan Modus Operandi Share similarities with previously discovered malware, including the use of misleading tactics to lure victims. By hiding itself as an Adobe Reader installation program in a Portuguese PDF, users are asked to download and execute the malware.
The PDF asks victims to click on a hidden link, which activates a series of events that leads to downloading a downloader. This downloader, called “Require.exe”, in addition to a benign installation program, is deposited in the temperature folder of the system. A DLL is then downloaded, performed via DLL-Hijacking to get the main module, “Chrome.exe”.
The most important module of Byakugan in particular is picked up from a designated command-and-control (C2) server, which may be served as the control panel of the attacker. The functionalities are, as from source code descriptions, diverse. Byakugan, packed with the help of Node.js and PKG, contains various libraries that are aimed at different tasks.
These functions include screen monitoring, screenshot, cryptocurrency mining, keylogging, file manipulation and browser information -theft. In particular, Byakugan can adjust its mining activities based on system use, which avoids the impact of performance during much sought after tasks.
To maintain its effect, Byakugan uses anti-analysis measures and ensures persistence by configuring the task planner to perform the system. This double approach to the recording of both benign and malignant components makes the analysis complicates, making accurate detection challenging.
“There is a growing trend to use both clean and malignant components in malware, and Byakugan is no exception,” is the advice.
“This approach increases the amount of noise that is generated during the analysis, making accurate detections more difficult. However, the downloaded files gave critical details about how Byakugan works, who helped us to analyze the malignant modules.”
Read more about comparable malware: Infeler Lumma evolves with a new anti-sandbox method