New findings have recently come to light regarding the Byakugan malware, which first made its appearance in January. The FortiGuard Labs team has been conducting an investigation into a campaign involving malware concealed within PDF files, leading to the discovery of new insights about Byakugan’s infostealer capabilities. In a recent advisory released by the team, the focus was on shedding light on how Byakugan operates.
Byakugan’s tactics are reminiscent of other malware previously identified, utilizing deceptive methods to entice victims. For instance, Byakugan disguises itself as an Adobe Reader installer within a Portuguese PDF, tricking users into downloading and executing the malware. The PDF prompts victims to click a hidden link, setting off a series of actions that result in the downloading of a downloader named “require.exe” along with a harmless installer, both of which are placed in the system’s temp folder. Subsequently, a DLL is downloaded and executed through DLL-hijacking to fetch the main module, “chrome.exe.”
The main module of Byakugan is sourced from a specified command-and-control (C2) server, potentially acting as the attacker’s control panel. The module’s capabilities, as described in the source code, are extensive. Byakugan, which is packed using node.js and pkg, incorporates various libraries to cater to different tasks.
These tasks include screen monitoring, screen capturing, cryptocurrency mining, keylogging, file manipulation, and theft of browser information. Notably, Byakugan can adjust its mining activities based on system usage to avoid impacting performance during high-demand tasks.
To ensure its persistence, Byakugan implements anti-analysis measures and configures the task scheduler to run upon system startup. This strategy of combining both benign and malicious components complicates analysis and makes accurate detection challenging.
“There is a growing trend of incorporating both clean and malicious components in malware, and Byakugan follows suit,” the advisory states. “This approach increases the complexity of analysis, making accurate detections more difficult. However, the downloaded files provided crucial insights into Byakugan’s operations, aiding in the analysis of the malicious modules.”
For more information on similar malware, you can also read about Infostealer Lumma, which has evolved with new anti-sandbox methods to evade detection.