Byakugan (Infostealer) – Malware

Overview

Byakugan is a node.js-based malware packed into its executable by pkg. In addition to the main script, there are several libraries corresponding to features. This includes setting up persistence, monitoring the victim’s desktop using OBS Studio, capturing screenshots, downloading cryptocurrency miners, logging keystrokes, enumerating and uploading files, and grabbing data stored in web browsers. Additionally, Byakugan can download extra files to perform its functions. These are stored in the default base path, % APPDATA%ChromeApplication, which is also used to store data created by Byakugan. Features Byakugan has the following features: Screen monitor Lib: streamer.js It uses OBS Studio to monitor the victim’s desktop. In a previous variant (7435f11e41735736ea95e0c8a66e15014ee238c3a746c0f5b3d4faf4d05215af), Byakugan downloaded the software from its domain. But this is not seen in this newer variant. Screen capture Lib: api.js Takes screenshots using Windows APIs. Miner Lib: miner.js The attacker can decide whether or not to continue mining when the victim is playing highly demanding games, which can impact performance. The attacker can also choose between mining with a CPU or a GPU to prevent the system from overloading. It downloads a variety of famous miners, such as Xmrig, t-rex, and NBMiner, and stores them in a folder named MicrosoftEdge under the base path. Keylogger Lib: api.js The keylogger stores its data in the kl folder located under the default path. File manipulation Lib: files.js This provides the functions for file uploading and exploring. Browser information stealer Lib: Browser.js Byakugan can steal information about cookies, credit cards, downloads, and auto-filled profiles. The data is stored in the bwdat folder under the base path. It can also inject cookies into a specified browser. In addition, there are some features that help Byakugan live as long as possible: Anti-analysis If the file name is not chrome.exe or is not located in the ChromeApplication folder, it will pretend to be a memory manager and close itself. In addition, it sets the path it uses to the Windows Defender’s exclusion path and allows files in the Windows firewall. Persistence It drops a configuration file for the task scheduler into the Defender folder under the base path, which makes it execute automatically when starting up.

Targets

Portuguese-speaking Windows users.

Techniques Used

The modus operandi of Byakugan exhibits resemblances to previously identified malware, utilizing deceptive methods to ensnare unsuspecting users. Disguised as an Adobe Reader installer within a Portuguese PDF, it prompts users to download and execute the malicious payload. Upon interaction with the PDF, victims are directed to click a concealed link, initiating a sequence of actions resulting in the deployment of a downloader dubbed “require.exe” and a benign installer to the system’s temporary directory. Subsequent steps involve the retrieval and execution of a DLL via DLL-hijacking to fetch the main module, “chrome.exe.” Byakugan’s primary module is sourced from a designated command-and-control (C2) server, potentially functioning as the attacker’s central control panel. With functionalities ranging from screen monitoring to cryptocurrency mining, Byakugan employs diverse libraries packed using node.js and pkg.

Significant Malware Campaigns

• AhnLab SEcurity intelligence Center (ASEC) discovers distribution of an Infostealer disguised as the Adobe Reader installer. (March 2024)

References:

• Infostealer Disguised as Adobe Reader Installer
• Byakugan – The Malware Behind a Phishing Attack
• Byakugan Infostealer Capabilities Revealed