An Interloper Listening in On Your Calls

While most backdoor attacks have limited functionality, Skype has a sophisticated nuisance that’s come-a-knocking, referred to as T900, a variant of the T5000 malware family. Secure Sense partner FireEye reported about this family back in 2014, when the T5000 sent out a spear-phishing campaign through emails with an attachment titled, “Malaysian Airlines MH370.doc”. When opened, this blank document released malicious code onto user’s systems.

This Trojan however, poses an unexpected attack method by first focusing on identifying a total of 24 potential security products running on a system, including Sophos, BitDefender, McAfee, Norton and Kaspersky. It then adjusts the installation process to avoid the discovered cyber defenses. Once the Trojan infects the user’s system, it then begins to collect personal data through compromising the Skype video calling software. Information pulled from video or audio calls and chat messages then become stored in a specially crafted directory called “Intel”, which allows the hackers to mine for sensitive data. Network Security company, Palo Alto, was able to see a sample of the T900 through exploits for CVE-2012-1856 and CVE-2015-1641 vulnerabilities. They have outlined exactly how the Trojan’s process works in stages and you can see an expansion of that here.

palo alto
[i] Image from Palo Alto, showing the multistage execution flow of T900

Skype users have been warned to be on the alert for any request by ‘explorer.exe’, as this is what actually allows the malware to steal audio, video and text files.

Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506. Follow us on LinkedIn and Twitter @Securesense for current company and industry news.

[i] Image retrieved from: