Since the beginning of the year, pro-Syrian-government hackers have steadily escalated the frequency and sophistication of their attacks on Syrian opposition activists. We have reported on several Trojans, which covertly install spying software onto the infected computer, as well as phishing attacks which steal YouTube and Facebook login credentials.

The latest surveillance malware comes in the form of an extracting file which is made to look like a PDF if you have file extensions turned off. The PDF purports to be a document concerning the formation of the leadership council of the Syrian revolution and is delivered via Skype message from a known friend. The malware installs a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more. It sends this data back to the same IP address in Syrian IP space that was used in several previous attacks, including the attacks reported by CNN in February, the Xtreme RAT Trojan EFF reported in March, and this sample from March 21st.

Syrian Internet users should be extremely cautious about clicking on suspicious-looking links, or downloading documents over Skype, even if the document purportedly comes from a friend.

The screenshot below shows the file with the fake Adobe icon.

The self-extracting file is named:

ورقة حول مجلس القيادة_as‮rcs.fdp.scr

On extraction, it performs several actions, including opening a PDF file, which you can see in the screenshot below.

The screenshot below shows the other files that are dropped:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\(Empty).lnk
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ورقة حول مجلس القيادة.pdf
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Explorer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msdlg.ocx

Additionally, after you start typing, it creates a keylogger directory:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dclogs

The screenshot below shows process that indicates the DarkComet RAT is running on your computer. Go to your Windows Task Manager by pressing Ctrl+Shift+Esc and click on the Processes tab. The process is called svchost.exe and runs under your username. In this example, the user is Administrator.

The screenshot below shows the empty start-up link which is created by the Trojan.

As of Wednesday April 4th, this Trojan is not detected by any anti-virus program. However, it is detectable by the DarkComet RAT removal tool, written by the same developer that originally wrote DarkComet RAT. The screenshot below shows the removal tool detecting DarkComet RAT on an infected computer. The YouTube phishing attack also installed DarkComet RAT and is detectable via the DarkComet RAT removal tool DarkComet RAT Remover v1.0.

EFF is deeply concerned to see targeted attacks on Syrian Internet activists continue. We are even more concerned by evidence suggesting that a subset of the attacks are being carried out by the same individual or group somewhere inside of Syria. We will continue to keep a close eye on developments.