Deploying a backdoor that both extracts sensitive data and enables full remote access to compromised devices
Kaspersky’s Global Research and Analysis Team (GReAT) has recently discovered a new malicious campaign involving the PipeMagic Trojan, which has shifted from targeting entities in Asia to expanding its reach to organizations in Saudi Arabia.
The attackers are using a fake ChatGPT application as bait, deploying a backdoor that both extracts sensitive data and enables full remote access to compromised devices. The malware also operates as a gateway, enabling the introduction of additional malware and the launch of further attacks across corporate network.
Kaspersky initially discovered PipeMagic backdoor in 2022, this plugin-based trojan was targeting entities in Asia at that time. The malware is capable of functioning as both a backdoor and a gateway. In September 2024, Kaspersky’s GReAT observed a resurgence of PipeMagic, this time targeting organizations in Saudi Arabia.
This version uses a fake ChatGPT application, built with the Rust programming language. At first glance, it appears legitimate, containing several common Rust libraries used in many other Rust-based applications. However, when executed, the application displays a blank screen with no visible interface and hides a 105,615-byte array of encrypted data which is a malicious payload.
In the second stage, the malware searches for key Windows API functions, by searching the corresponding memory offsets using names hashing algorithm. It then allocates memory, loads the PipeMagic backdoor, adjusts necessary settings, and executes the malware.
One of unique features of PipeMagic is that it generates a 16-byte random array to create a named pipe in the format \\.\pipe\1.<hex string>. It spawns a thread that continuously creates this pipe, reads data from it, and then destroys it. This pipe is used for receiving encoded payloads, stop signals via the default local interface. PipeMagic usually works with multiple plugins downloaded from a command-and-control (C2) server, which, in this case, was hosted on Microsoft Azure.
“Cybercriminals are constantly evolving their strategies to reach more prolific victims and broaden their presence, as demonstrated by the PipeMagic Trojan’s recent expansion from Asia to Saudi Arabia. Given its capabilities, we expect to see an increase in attacks leveraging this backdoor,’ comments Sergey Lozhkin, Principal Security Researcher at Kaspersky’s GReAT.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
Be cautious when downloading software from the internet, especially if it’s from a third-party website. Always try to download software from the official website of the company or service that you are using.
Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Next.
In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team.
To gain exclusive insights into the latest APT campaigns and emerging trends in the threat landscape, register for the Security Analyst Summit here.
