New findings have recently come to light regarding the Byakugan malware, which was first identified in January. The FortiGuard Labs team conducted an investigation into a campaign involving malware hidden within PDF files, leading to the discovery of new insights about Byakugan’s capabilities as an infostealer.
In a recent advisory issued by the FortiGuard Labs team, it was revealed that Byakugan operates similarly to previously known malware by using deceptive tactics to deceive victims. By posing as an Adobe Reader installer in a Portuguese PDF, users are tricked into downloading and executing the malware.
The PDF prompts victims to click on a hidden link, which triggers the download of a downloader named “require.exe” and a benign installer into the system’s temp folder. Subsequently, a DLL is downloaded and executed using DLL-hijacking to fetch the main module, “chrome.exe.”
Byakugan’s main module is retrieved from a designated command-and-control (C2) server, potentially serving as the attacker’s control panel. This module, packed using node.js and pkg, contains various libraries that cater to different functions such as screen monitoring, screen capturing, cryptocurrency mining, keylogging, file manipulation, and browser information theft. Interestingly, Byakugan can adjust its mining activities based on system usage to avoid impacting performance during high-demand tasks.
To ensure its persistence, Byakugan utilizes anti-analysis measures and configures the task scheduler to run upon system startup. This dual approach of incorporating both benign and malicious components makes accurate detection challenging, as it generates more noise during analysis.
The advisory stated, “There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception. This approach increases the amount of noise generated during analysis, making accurate detections more difficult. However, the downloaded files provided critical details about how Byakugan works, which helped us analyze the malicious modules.”
For more information on similar malware, you can read about Infostealer Lumma and its evolution with a new anti-sandbox method. Stay informed about the latest cybersecurity threats and protect yourself from potential attacks.