- 칼럼 | AI 에이전트, 지금까지의 어떤 기술과도 다르다
- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- Amazon's Echo Spot smart alarm clock is almost half off this Black Friday
- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
Byakugan Infostealer Capabilities Revealed
New research has shed light on the intricate workings of the Byakugan malware, initially detected in January.
During an investigation into a campaign featuring malware concealed within PDFs, the FortiGuard Labs team unearthed additional insights about the malware. Last Thursday, they issued an advisory spotlighting Byakugan’s infostealer capabilities.
According to the technical write-up, Byakugan’s modus operandi shares similarities with previously discovered malware, including the use of deceptive tactics to lure victims. By disguising itself as an Adobe Reader installer in a Portuguese PDF, users are prompted to download and execute the malware.
The PDF prompts victims to click a concealed link, triggering a chain of events leading to the download of a downloader. This downloader, named “require.exe,” alongside a benign installer, is deposited into the system’s temp folder. Subsequently, a DLL is downloaded, executed via DLL-hijacking to fetch the main module, “chrome.exe.”
Byakugan’s main module, in particular, is retrieved from a designated command-and-control (C2) server, potentially serving as the attacker’s control panel. Its functionalities, as gleaned from source code descriptions, are diverse. Byakugan, packed using node.js and pkg, incorporates several libraries catering to various tasks.
These functions include screen monitoring, screen capturing, cryptocurrency mining, keylogging, file manipulation and browser information theft. Notably, Byakugan can adapt its mining activities based on system usage, avoiding performance impact during high-demand tasks.
To sustain its operation, Byakugan employs anti-analysis measures and ensures persistence by configuring the task scheduler to execute upon system startup. This dual approach of incorporating both benign and malicious components complicates the analysis, making accurate detection challenging.
“There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception,” reads the advisory.
“This approach increases the amount of noise generated during analysis, making accurate detections more difficult. However, the downloaded files provided critical details about how Byakugan works, which helped us analyze the malicious modules.”
Read more on similar malware: Infostealer Lumma Evolves With New Anti-Sandbox Method
