Kaspersky’s Global Research and Analysis Team (GReAT) recently exposed a new cyberattack campaign utilizing the dangerous PipeMagic Trojan. The attack specifically targets businesses, starting in Asia and spreading to organizations in Saudi Arabia. Cybercriminals exploit a fake ChatGPT app, designed to lure victims, while embedding a backdoor that extracts sensitive data and allows remote access to compromised devices.
The malicious software serves as both a gateway and a launching pad for additional malware attacks on corporate networks. Disguised as a legitimate application built using the Rust programming language, the Trojan mimics genuine software to deceive unsuspecting users. Once launched, the app displays a blank screen but secretly unleashes an encrypted payload of 105,615 bytes.
PipeMagic Trojan uses advanced techniques
Kaspersky initially identified PipeMagic in 2022, noting its alarming potential to compromise organizations across various sectors. While the initial attacks remained limited to Asia, the recent resurgence of the Trojan in Saudi Arabia demonstrates the expansion of the threat. The malware now uses advanced techniques, including memory allocation and obfuscation of Windows API functions, to evade detection and successfully infiltrate systems.
PipeMagic’s uniqueness lies in its ability to create a pipe structure, specifically named in the format \\.\pipe\1.<hex string>, and continuously generate, read, and destroy the pipe threads. These pipes allow the Trojan to receive encoded payloads and block local interface signals. Frequently, the malware interacts with command-and-control (C2) servers hosted on Microsoft Azure, from which it downloads additional modules for further exploitation.
Anatsa, a trojan, has been detected in five antivirus apps on the Google Play Store. So, which apps are they?
Sergey Lozhkin, Kaspersky’s GReAT Security Research Leader, highlighted the evolving nature of cybercriminal strategies. “Cybercriminals adapt to reach more efficient targets, as seen in PipeMagic’s expansion from Asia to Saudi Arabia. We expect an increase in attacks using this backdoor,” Lozhkin warned.
Kaspersky urges organizations to adopt comprehensive cybersecurity measures, including downloading software from official sources, enhancing endpoint protection, and conducting cybersecurity training for employees to combat phishing and other social engineering techniques.
