T9000 malware records Skype calls, screenshots, and text messages to steal data

Sophisticated Trojan goes to 'great lengths' to avoid detection by security products, warn Palo Alto researchers
Written by Danny Palmer, Senior Writer

A security researcher demonstrating how T9000 malware can record Skype call.

Image: Palo Alto Networks

A new strain of sophisticated malware which can take recordings and screenshots of Skype activity -- all while avoiding detection by security software -- has been discovered.

The Trojan has been dubbed T9000 and researchers at security company Palo Alto Networks have warned that it goes to great lengths to avoid being detected.

T9000 represents a new variant of the T5000 malware family and poses something of a unusual threat in that it works to identify a total of 24 potential security products running on a system and then alters its installation procedure in order to avoid the relevant cyber defences.

The malware is capable of avoiding detection by a number of high profile -- and commonly used -- security tools, the researchers said.

Once T9000 has infected a system, its main goal is to collect information about the targeted victim which is does by compromising Skype video calling software. After the malware has hooked into Skype, it records video calls, audio calls, and chat messages, then it stores them in a directory specially created by the Trojan called "Intel", which the attackers can mine for data.

A system gets infected with T9000 when the user inadvertently opens an RTF file compromised with exploits for both CVE-2012-1856 and CVE-2015-1641 vulnerabilities. The malware can then be used to "automatically capture data about the infected system and steal files of specific types stored on removable media", wrote Palo Alto researchers Josh Grunzweig and Jen Miller-Osborn.

In being able to record the actions taken by victims, attackers could potentially gain access to and steal documents, files, usernames, and passwords.

To ensure they're not infected by the T9000 Trojan, Skype users have been warned to be wary of a request by 'explorer.exe' to use Skype, as that's what allows the malware to record and store video, audio, and text files.

According to the warning by researchers, T9000 has been used in a number of targeted attacks against organisations in the US, although the malware has the potential to infect a network anywhere in the world.

Palo Alto said it's released the information on T9000 in an effort to prevent others being compromised by the sophisticated malware.

"The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community. We hope that sharing the details of how this tool works as well as the indicators in the section below will help others defend themselves against attacks using this tool," the researchers said.

The warning doesn't speculate about who's behind the T9000 Trojan, but instances of T5000 malware detected in 2014 -- which duped users into opening emails claiming to contain information about the high-profile disappearance of Malaysian Airlines Flight MH370 -- were linked to a cyber espionage group suspected to have Chinese government backing.

Read more about cybersecurity

Editorial standards