Cybersecurity firm Fortinet alerts users of a phishing scam campaign distributing the Byakugan malware. This malware steals sensitive information and grants attackers remote access to infected Windows devices.
Malware Found in PDF File:
In January 2024, FortiGuard Labs discovered a PDF file in Portuguese language distributing Byakugan, a multi-functional malware. Researchers found a blurred table in the PDF and instructions for the victims to click a malicious link to view the content.
Once clicked, the downloader drops a file titled require.exe, which is its copy. Then a clean installer is downloaded to the temp folder followed by a DLL, which is executed via DLL-hijacking to run require.exe to download the main module.
The downloader, named “require.exe” and located in the temp folder, executes the copy and not the Reader_Install_Setup.exe, and exhibits different behaviour in both files. Byakugan’s main module is downloaded from thinkforce.com, a C2 server that may also serve as an attacker’s control panel, with a login page on port 8080.
AhnLab SEcurity Intelligence Center (ASEC) also discovered an Infostealer disguised as an Adobe Reader installer through a fake PDF file in Portuguese, urging users to download Adobe Reader, which led to the execution of a malicious file Reader_Install_Setup.exe.
It further creates two malicious files and runs a Windows system file, msdt.exe as an administrator, loading the malicious BluetoothDiagnosticUtil.dll and loading the malicious DLL file. The threat actor can bypass User Account Control (UAC) via DLL hijacking.
Byakugan Malware Key Features
Byakugan is a node.js-based malware that uses OBS Studio to monitor the target’s desktop and perform various functions. It has several libraries, including a screen monitor, miner, keylogger, file manipulation, and browser information stealer.
Moreover, Byakugan can choose between mining with CPU or GPU to prevent system overloading and downloads from popular miners like Xmrig, t-rex, and NBMiner. It also stores data in the kl folder and can steal information about “cookies, credit cards, downloads, and auto-filled profiles,” researchers wrote.
Byakugan also has anti-analysis features, such as pretending to be a memory manager and setting the path to the Windows Defender’s exclusion path. Additionally, it drops a task scheduler configuration file into the Defender folder, enabling it to execute automatically when starting up. However, this newer variant does not download the software from its domain.
How to Stay Safe?
Threat actors are using both clean and malicious components in malware, such as Byakugan, making detection difficult, FortiGuard researchers noted, Therefore, to stay protected from phishing attacks and such deceptive malware, users must be cautious with emails, and verify sender legitimacy.
Additionally, use strong passwords and two-factor authentication, keep software updated, and prefer installing security software that can detect and block phishing emails/malware. Avoid clicking on links or downloading attachments from suspicious emails, and contacting the sender directly.