T9000 can also steal files from your hard drives

Feb 7, 2016 00:15 GMT  ·  By

A new backdoor trojan is making the rounds, coming equipped with features that allow it to steal files, take screengrabs, and record Skype conversations.

The trojan, named T9000, is an evolution of an older backdoor called T5000, spotted in the wild in 2013 and 2014 targeting human rights activists, the automotive industry, and governments in the Asia-Pacific region.

This time around, Palo Alto Networks researchers say T9000 has been spotted inside spear phishing emails received by US organizations, but that it is versatile enough to be used against any target the attacker wants to compromise.

The malware is infecting computers via malicious RTF files that exploit the CVE-2012-1856 and CVE-2015-1641 vulnerabilities to get a foothold on the user's PC.

A lot of effort was put into avoiding detection

Compared to its earlier version, T9000 is a lot more complicated. Security researchers that have examined its make-up say the malware's authors put a lot of effort into avoiding getting detected.

T9000 features a multi-stage installation process, which checks before each phase for the presence of malware analysis tools and 24 security products such as Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPortAntivirus, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising, and Qihoo 360.

If everything checks out, and the internal verifications go through, after installing itself, the malware will first collect information on the infected system and send it to a C&C server so it can mark the target and distinguish between each victim.

Three main modules are responsible for most of the backdoor's damage

After each infected computer was identified and recorded, the C&C server will send specific modules to each target, based on the information it found it can steal. Palo Alto researchers have identified three main modules.

The most important module (tyeu.dat) is responsible for spying on Skype conversations. As soon as the module is downloaded and launched into execution, the next time the user starts Skype, a message will appear at the top of their window saying "explorer.exe wants to use Skype."

T9000 message shown to Skype users
T9000 message shown to Skype users

This message is shown because the backdoor taps into the Skype API and shows this notification at the top. Users who agree to allow "explorer.exe" to interact with Skype are actually giving T9000 permission to spy on them.

T9000's Skype module can record both audio and video conversations, along with text chats, while also taking regular screenshots of video calls.

T9000 can also steal other files, not just data from Skype conversations

The second T9000 module is vnkd.dat, and this module is loaded only when the malware's author wants to steal files from the user's computer. Support is included for taking data from local removable storage devices with extensions such as doc, ppt, xls, docx, pptx, and xlsx.

The most innocuous module of them all (if we can say that) is qhnj.dat, which allows the C&C server to send commands to each computer and tell T9000 to create files&directories, delete files&directories, move files&directories, encrypt data, and copy the user's clipboard.

"The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community," Palo Alto researchers explained. This means this is a professional tool used in cyber-espionage. Previous reports have linked T5000 to an APT named Admin@338, related to China's unofficial cyber-army.

Back in December, the same Admin@338 APT was also linked to a malware distribution campaign that was using Dropbox accounts to host its C&C servers.

UPDATE: Alerted by this new threat to Skype users, Microsoft has provided the following statement: "To further protect our customers, we’ve added detection for the malicious software known as ‘T9000’ to Windows Defender. Customers that have installed security updates released in 2012 (MS12-060) and 2014 (MS14-033), either manually or by enabling automatic updates, will already be protected. Our recommendation is to enable automatic updates, which installs the latest security protections, and use the latest version of Skype."

T9000 execution flow
T9000 execution flow

Photo Gallery (3 Images)

Backdoor trojan found targeting Skype users
T9000 message shown to Skype usersT9000 execution flow
Open gallery