iTnews

Skype users targeted by info-stealing malware

By Juha Saarinen, iTnews on Feb 8, 2016 2:40PM
Skype users targeted by info-stealing malware

Intercepts calls and video, and takes screenshots.

Users of Microsoft's Skype communications program are being targeted by a new malware which attempts to intercept audio, video, and chats.

The so-called T9000 malware also takes regular screenshots of video calls, and attackers can use it to collect document files - even those being shared via removable drives.

According to security vendor Palo Alto Networks, the T9000 spyware is a newer version of the APT T5000 from 2013, which is also known as Plat1 or Grand Theft Auto Panda, and runs on the Windows operating system.

T5000 was used to attack human rights activists and the car industry, according to security firm Cylance. It was also used in spearphishing attacks in 2014, targeting people interested in the disappeared Malaysian Airlines flight MH370, according to FireEye.

In comparison, T9000 is more advanced than T5000, according to Palo Alto Networks.

The firm said it has seen the malware being used in several targeted attacks against organisations in the United States, and its analysis shows that T9000 is designed to be used against a broad range of victims.

T9000 is dropped via a rich text format file with an exploit for CVE-2012-1856, which affects an ActiveX control in Microsoft Office, older versions of SQL Server, and other Microsoft products.

It also contains an exploit for the newer CVE-2015-1641 vulnerability, which allows attackers to execute arbitrary code via specially crafted RTF files.

Once planted on a victim system, T9000 attempts to hide itself from detection and checks for the presence of 24 to 27 different anti-virus products before full installation. If it discovers a listed security product, T9000 will customise the installation mechanism to avoid the defences.

T9000 also contains checks during installation to see if a security researcher is analysing the malware.

The malware can receive several commands remotely to execute on victim machines, such as listing directories, uploading and deleting files, and more.

Palo Alto Networks has identified the functionality of ten T9000 commands, with a further 14 yet to be fully discovered, the vendor said.

Update: A Microsoft spokesperson said updated versions of Windows and Office, as well as Skype, are not vulnerable to the exploits used by T9000.

"To further protect our customers, we’ve added detection for the malicious software known as ‘T9000’ to Windows Defender," the spokesperson said.

"Customers that have installed security updates released in 2012 (MS12-060) and 2014 (MS14-033), either manually or by enabling automatic updates, will already be protected. Our recommendation is to enable automatic updates, which installs the latest security protections, and use the latest version of Skype.” 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
malware microsoft palo alto networks security skype t5000 t9000

Partner Content

MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
MSI launches innovative new laptops
Partner Content MSI launches innovative new laptops
Improving returns from SD-WAN spending
Sponsored Content Improving returns from SD-WAN spending
NCS expands into Australia in partnership with Optus Enterprise
Sponsored Content NCS expands into Australia in partnership with Optus Enterprise

Sponsored Whitepapers

The risky business of open source
The risky business of open source
Ensure your e-signatures are legally binding
Ensure your e-signatures are legally binding
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation
How to choose a WAF that's right for you
How to choose a WAF that's right for you
The global telco 5G cloud gaming opportunity
The global telco 5G cloud gaming opportunity

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
By Juha Saarinen, iTnews
Feb 8 2016
2:40PM
0 Comments

Related Articles

  • FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'
  • Microsoft leaks critical, remotely exploitable Windows bug
  • Mimecast says hackers hijacked its products
  • Researchers detail SolarWinds code injection attack
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra pilots its first neurodiversity recruitment program

Telstra pilots its first neurodiversity recruitment program

Accellion hack behind Reserve Bank of NZ data breach

Accellion hack behind Reserve Bank of NZ data breach

Google unravels state-of-art Android and Windows exploit chains

Google unravels state-of-art Android and Windows exploit chains

Tyro halts trading following week-long outage

Tyro halts trading following week-long outage

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.