A new multifunctional backdoor malware, called Devopt, has been detected, which works as a clipper, a keylogger, a credential stealer, and a file grabber. Moreover, multiple variants of this malware have been observed within a gap of a few days, suggesting that its developers are actively improving it.
Multifaceted capabilities
Zscaler researchers have released a technical report detailing various capabilities of DevOpt. In addition to typical backdoor behavior, it exhibits several additional functionalities.
Clipper: Once installed on the victim’s device, DevOpt allows the attacker to record the data stored on the clipboard. All the data copied from the clipboard is stored in a local file named clippa.dan.
Stealer: It steals sensitive data, including login credentials, cookies, browsing history, and version-related information from Chrome and Yandex browsers, and stores it in files named cdck.bin and bdck.bin.
Keylogger: The malware logs all the keystrokes of the user and stores them in the file named Kebba.dan.
Grabber: It can further grab various files, including Word documents, Excel spreadsheets, text files, and RTF documents stored in the Documents, Downloads, and other desktop directories, and saves the data to the file named grb.bin.
Attack tactics
The malware, developed using Free Pascal language, is being distributed via fake websites with some social engineering tricks.
A Russian website was offering users some monetary rewards for performing certain tasks.
One of the tasks involved downloading the malware masquerading as an archive file. When the users double-click the archive file to open it, the malware gets executed.
Multiple variants
Within the past few days, multiple variants of DevOpt have surfaced, indicating that the malware is in active development. Researchers have analyzed two notable variants.
The older variant is around 20 MB in size and does not implement string obfuscation techniques. It contains the Graphic User Interface to interact with. The newer variant is smaller in size (2 MB), and uses integer-based encoded strings to evade detection.
The older version requires user interaction to extract itself, while the newer version gets executed in the background silently, without the need for user interaction.
Concluding notes
Multifunctional malware such as DevOpt are increasingly becoming common. A few days ago, researchers revealed the Cinoshi platform that offers an all-in-one malware service. To keep up with such a rapidly evolving threat ecosystem, organizations must make continuous improvements in their defense approaches, and implement multi-layered defense architecture.