Categories: SecurityWorkspace

Cyber-Espionage Malware Taps Into Skype Calls

Security researchers have uncovered an unusually complex malware attack that seeks to tap Skype communications, going to great lengths to avoid detection as it does so.

The malware is the latest iteration in a family of attack code that has previously been linked to cyber-espionage activities possibly sponsored by the Chinese government, according to an advisory by Palo Alto Networks.


The Trojan horse, called T9000, has been detected in malicious email attachments such as RTF files, according to Palo Alto. Once a user activates the file, the Trojan makes use of known vulnerabilities in Windows to install a back door, and then seeks to download additional components that allow it to listen in on Skype conversations, take screenshots of specific applications and capture encrypted data, Palo Alto said.

The malware scans for an unusually large number of security tools before installing new components, taking steps to avoid specific tools that are installed, and takes other measures to avoid detection, according to Palo Alto.

“It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher,” the researchers wrote.

One module allows the malware to record audio and video conversations and text chats in Skype, as well as taking regular screenshots of Skype and other applications, Palo Alto said.

A second steals documents from an infected system and local removable storage, while a third allows the malware to receive commands from a remote server.

Targeted attacks

Palo Alto said it had detected T9000 in targeted attack emails directed against US organisations. It’s a more advanced version of a Trojan known as T5000, also known as Plat1, which was detected in 2013 and 2014 targeting human rights organisations, car makers and government bodies in the Asia-Pacific region.

The 2014 malware attacks, which were delivered via emails pretending to contain information about the disappearance of Malaysian Airlines Flight MH370, were linked to a group called admin@338, thought to be backed by the Chinese government.

T9000’s unusual degree of sophistication indicates that it, too, may be a cyber-espionage tool put into play by a nation state, Palo Alto said.

“The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community,” the group stated.

In 2013 security firm Mandiant claimed that a major hacking group known as APT1 was backed by the Chinese government, on behalf of which it has carried out sophisticated attacks since 2006.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

OpenAI, Broadcom In Talks Over Development Of AI Chip – Report

Rebelling against Nividia? OpenAI is again reportedly exploring the possibility of developing its own AI…

17 hours ago

Microsoft Outage Impacts Airlines, Media, Banks & Businesses Globally

IT outage causes major disruptions around the world, after Crowdstrike update allegedly triggers Microsoft outages

19 hours ago

GenAI Integration Efforts Hampered By Costs, SnapLogic Finds

Hefty investment. SnapLogic research finds UK businesses are setting aside three-quarters of their IT budgets…

2 days ago

Meta Refuses EU Release Of Multimodal Llama AI Model

Mark Zuckerberg firm says European regulatory environment too ‘unpredictable’, so will not release multimodal Llama…

2 days ago

Synchron Announces Brain Interface Chat Powered by OpenAI

Brain implant firm Synchron offers AI-driven emotion and language predictions for users, powered by OpenAI's…

2 days ago