FortiGuard Labs Threat Research
Byakugan – The Malware Behind a Phishing Attack
Article Contents
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High
In January 2024, FortiGuard Labs collected a PDF file written in Portuguese that distributes a multi-functional malware known as Byakugan. While investigating this campaign, a report about it was published. Therefore, this report will only provide a brief analysis of the overlap between that attack and this and focus primarily on the details of the infostealer.
Infection Vector
The PDF image shows a blurred table and asks the victim to click the malicious link on the PDF file to see the content. Once the link is clicked, a downloader is downloaded. The downloader drops a copy of itself (require.exe) along with a clean installer to the temp folder. It then downloads a DLL (dynamic link library), which is executed via DLL-hijacking to run require.exe to download the main module (chrome.exe). It executes the downloader's copy (require.exe), not the downloader (Reader_Install_Setup.exe), because when the downloader is named "require.exe" and located in the temp folder, its behavior is different from when it is Reader_Install_Setup.exe.
Webpage
The downloader downloads Byakugan’s main module from thinkforce[.]com[.]br. This is the C2 server from which Byakugan receives files and commands. However, it may also work as the attacker's control panel. There is a login page on port 8080. We found descriptions of its features from the page's source code.
Features
Byakugan is a node.js-based malware packed into its executable by pkg. In addition to the main script, there are several libraries corresponding to features.
Additionally, Byakugan can download extra files to perform its functions. These are stored in the default base path, % APPDATA%ChromeApplication, which is also used to store data created by Byakugan.
Byakugan has the following features:
- Screen monitor
Lib: streamer.js
It uses OBS Studio to monitor the victim’s desktop.
In a previous variant (7435f11e41735736ea95e0c8a66e15014ee238c3a746c0f5b3d4faf4d05215af), Byakugan downloaded the software from its domain. But this is not seen in this newer variant.
- Screen capture
Lib: api.js
Takes screenshots using Windows APIs.
- Miner
Lib: miner.js
The attacker can decide whether or not to continue mining when the victim is playing highly demanding games, which can impact performance. The attacker can also choose between mining with a CPU or a GPU to prevent the system from overloading. It downloads a variety of famous miners, such as Xmrig, t-rex, and NBMiner, and stores them in a folder named MicrosoftEdge under the base path.
- Keylogger
Lib: api.js
The keylogger stores its data in the kl folder located under the default path.
- File manipulation
Lib: files.js
This provides the functions for file uploading and exploring.
- Browser information stealer
Lib: Browser.js
Byakugan can steal information about cookies, credit cards, downloads, and auto-filled profiles. The data is stored in the bwdat folder under the base path. It can also inject cookies into a specified browser.
In addition, there are some features that help Byakugan live as long as possible:
- Anti-analysis
If the file name is not chrome.exe or is not located in the ChromeApplication folder, it will pretend to be a memory manager and close itself.
In addition, it sets the path it uses to the Windows Defender’s exclusion path and allows files in the Windows firewall.
- Persistence
It drops a configuration file for the task scheduler into the Defender folder under the base path, which makes it execute automatically when starting up.
Conclusion
There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception. This approach increases the amount of noise generated during analysis, making accurate detections more difficult. However, the downloaded files provided critical details about how Byakugan works, which helped us analyze the malicious modules. FortiGuard Labs will continue to monitor this malware and provide updates on this variant as they become available.
Fortinet Protections
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
W64/BKGStealer.854C!tr
W64/BKGStealer.4C6A!tr
W64/BKGStealer.47AF!tr
PDF/TrojanDownloader.Agent.BKN!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.
The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros in the document.
We also suggest that organizations go through Fortinet’s free NSE training module: NSE 1 – Information Security Awareness. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
Git repository
github[.]com/thomasdev33k
github[.]com/fefifojs
github[.]com/wonderreader
C2 Server
blamefade.com[.]br
thinkforce.com[.]br
Files
c7dbb5e9e65a221a5f78328b5a6141dd46a0459b88248e84de345b2a6e52b1d9
c6fe9169764301cadccb252fbed218a1a997922f0df31d3e813b4fe2a3e6326d
c9a27dbae96afb7d083577d30b2947c8ba9d1a6cb7e10e5f259f0929ef107882
exe
9ef9bbfce214ee10a2e563e56fb6486161c2a623cd91bb5be055f5745edd6479
4d8eac070b6b95f61055b96fb6567a477dbc335ef163c10514c864d9913d23cb
30991c9cac5f4c5c4f382f89055c3b5e9bb373c98ce6a5516d06db3f8a478554
