In January 2024 [3] [4], FortiGuard Labs uncovered a deceptive campaign distributing the Byakugan [1] [2] [3] [4] [5] [6] malware through fake Adobe Acrobat Reader installers.
Description
Byakugan, a node.js-based malware [1] [3] [5], employs DLL hijacking and Windows UAC bypass techniques to execute its final payload [2]. It collects system metadata [1], communicates with a C2 server [1], and drops a main module named “chrome.exe” from a different server [1]. Byakugan is a sophisticated threat that demonstrates adaptability in compromising systems and harvesting sensitive data. It showcases the trend of blending clean and malicious components to evade detection [2], similar to the distribution of the Rhadamanthys information stealer [2]. Threat actors leverage legitimate software like Notepad++ to propagate malware like WikiLoader [2], highlighting the persistence and sophistication of these malicious activities. Byakugan includes a downloader named “require.exe” that downloads the main module from a C2 server [5]. It has capabilities such as monitoring desktops [5], keylogging [5] [6], stealing browser information [4] [5], mining with CPU or GPU [5], storing data in the kl folder [5], and having anti-analysis features [5]. Byakugan is a multi-functional malware distributed in a PDF file collected by FortiGuard Labs in January 2024 [4]. It can download extra files to perform its functions [4], storing them in the default base path %APPDATA%ChromeApplication [4]. The malware can monitor screens using OBS Studio, steal browser information [4] [5], inject cookies into a specified browser [4], and store data in the bwdat folder under the base path [4].
Conclusion
The use of both clean and malicious components in Byakugan increases the complexity of analysis [4]. However, critical details from downloaded files have aided in understanding its malicious modules [4]. To stay safe [5], users should exercise caution with emails [5], use strong passwords [5], keep software updated [5], and avoid clicking on suspicious links or downloading attachments [5].
References
[1] https://eesec.org/blog/how-fake-adobe-acrobat-reader-installers-distribute-byakugan-malware
[2] https://cybermaterial.com/byakugan-malware-targets-adobe-reader/
[3] https://cybersecuritynews.com/hackers-weaponized-pdf-files/
[4] https://www.loyalshare.in/byakugan-the-malware-behind-a-phishing-attack/
[5] https://www.hackread.com/phishing-scam-drops-byakugan-malware-fake-pdf/
[6] https://www.infosecurity-magazine.com/news/byakugan-infostealer-capabilities/