Cyber-Espionage Malware Taps Into Skype Calls


The T9000 malware is the latest in a line that has previously been linked to cyber-spies, researchers say

Security researchers have uncovered an unusually complex malware attack that seeks to tap Skype communications, going to great lengths to avoid detection as it does so.

The malware is the latest iteration in a family of attack code that has previously been linked to cyber-espionage activities possibly sponsored by the Chinese government, according to an advisory by Palo Alto Networks.


The Trojan horse, called T9000, has been detected in malicious email attachments such as RTF files, according to Palo Alto. Once a user activates the file, the Trojan makes use of known vulnerabilities in Windows to install a back door, and then seeks to download additional components that allow it to listen in on Skype conversations, take screenshots of specific applications and capture encrypted data, Palo Alto said.

The malware scans for an unusually large number of security tools before installing new components, taking steps to avoid specific tools that are installed, and takes other measures to avoid detection, according to Palo Alto.

“It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher,” the researchers wrote.

One module allows the malware to record audio and video conversations and text chats in Skype, as well as taking regular screenshots of Skype and other applications, Palo Alto said.

A second steals documents from an infected system and local removable storage, while a third allows the malware to receive commands from a remote server.

Targeted attacks

Palo Alto said it had detected T9000 in targeted attack emails directed against US organisations. It’s a more advanced version of a Trojan known as T5000, also known as Plat1, which was detected in 2013 and 2014 targeting human rights organisations, car makers and government bodies in the Asia-Pacific region.

The 2014 malware attacks, which were delivered via emails pretending to contain information about the disappearance of Malaysian Airlines Flight MH370, were linked to a group called admin@338, thought to be backed by the Chinese government.

T9000’s unusual degree of sophistication indicates that it, too, may be a cyber-espionage tool put into play by a nation state, Palo Alto said.

“The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community,” the group stated.

In 2013 security firm Mandiant claimed that a major hacking group known as APT1 was backed by the Chinese government, on behalf of which it has carried out sophisticated attacks since 2006.

Are you a security pro? Try our quiz!