New research has shed light on the intricate workings of the Byakugan malware, initially detected in January.
During an investigation into a campaign featuring malware concealed within PDFs, the FortiGuard Labs team unearthed additional insights about the malware. Last Thursday, they issued an advisory spotlighting Byakugan’s infostealer capabilities.
According to the technical write-up, Byakugan’s modus operandi shares similarities with previously discovered malware, including the use of deceptive tactics to lure victims. By disguising itself as an Adobe Reader installer in a Portuguese PDF, users are prompted to download and execute the malware.
The PDF prompts victims to click a concealed link, triggering a chain of events leading to the download of a downloader. This downloader, named “require.exe,” alongside a benign installer, is deposited into the system’s temp folder. Subsequently, a DLL is downloaded, executed via DLL-hijacking to fetch the main module, “chrome.exe.”
Byakugan’s main module, in particular, is retrieved from a designated command-and-control (C2) server, potentially serving as the attacker’s control panel. Its functionalities, as gleaned from source code descriptions, are diverse. Byakugan, packed using node.js and pkg, incorporates several libraries catering to various tasks.
These functions include screen monitoring, screen capturing, cryptocurrency mining, keylogging, file manipulation and browser information theft. Notably, Byakugan can adapt its mining activities based on system usage, avoiding performance impact during high-demand tasks.
To sustain its operation, Byakugan employs anti-analysis measures and ensures persistence by configuring the task scheduler to execute upon system startup. This dual approach of incorporating both benign and malicious components complicates the analysis, making accurate detection challenging.
“There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception,” reads the advisory.
“This approach increases the amount of noise generated during analysis, making accurate detections more difficult. However, the downloaded files provided critical details about how Byakugan works, which helped us analyze the malicious modules.”
Read more on similar malware: Infostealer Lumma Evolves With New Anti-Sandbox Method