T9000 backdoor steals documents, records Skype conversations, victims’ actions

A new backdoor Trojan with spyware capabilities is being used in targeted attacks against organizations based in the United States. It has been dubbed T9000, since it’s a newer, improved version of the T5000 backdoor.

The attackers wielding it are believed to be of Chinese origin, as the T5000 has in the past been tied to the Admin@338 APT, a group that has, in the lat few years, been targeting APAC governments and US think tanks, and human rights activists.

The T9000 is delivered via phishing emails containing a booby-trapped RTF file. This file contains exploits for two vulnerabilities (CVE-2012-1856 and CVE-2015-1641) present in a wide variety of software, including Microsoft’s Office packet.

After exploiting one of these, it will go through a series of shellcode runs that will ultimately result in the loading of the backdoor’s main module and three encrypted plugins:

T9000 backdoor steals documents, records Skype conversations, victims' actions

But not without first trying to show a decoy document, making sure that only one instance of the malware is running at a given time, and checking for installed security products.

“The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed. It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher,” Palo Alto Networks researchers discovered.

The installation process is slightly different if the victim is running Windows 2008 R2, 7, 2012 and 8, and/or Kingsoft, Filseclab, or Tencent security products, but the result is the same.

After the main module collects user, machine and software information and sends it to the C&C server, it downloads the three modules (tyeu.dat, vnkd.dat, and qhnj.dat) and loads them on the machine.

Each of these has a different function. The first one is responsible for collecting information – recording video calls, audio calls, and chat messages – from Skype, and it does so by using the built-in Skype API.

“The victim must explicitly allow the malware to access Skype for this particular functionality to work. However, since a legitimate process is requesting access, the user may find him- or herself allowing this access without realizing what is actually happening,” the researchers noted.

The second plugin searches for drives connected to the system, and through them for MS Office files, which it promptly copies and prepares for exfiltration. The third one records important actions taken by the victim – changes on the system – and this could come in handy if the attackers want to gain access to remote systems used by the victim.

Finally, the main module can list drives and directories, execute commands, kill processes, download, upload and delete files, and so on.

The T9000 is an effective cyber espionage tool, and its author(s) went to great lengths to avoid detection of the backdoor both by AV solutions and malware analysts. But the effort has been in vain.

Palo Alto’s blog post contains additional technical details about the malware and the infection and installation process, as well as indicators of compromise that organizations can use to check whether they have been hit with it.