The campaign of attacks targeting Syrian opposition activists on the Internet has taken a new turn. Since the beginning of the year, Syrian opposition activists have been targeted using several Trojans, which covertly install spying software onto the infected computer, as well as a multitude of YouTube and Facebook login credentials. Last week, TrendMicro's Malware Blog described a website which purportedly offered Skype encryption software, but was actually a Trojan that installed DarkComet 3.3, a remote administration tool that allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more--and sends that sensitive information to an address in Syrian IP space. This week, EFF has found an almost identical website located at http://skype-encryption.sytes.net/, shown in the screenshot below.
Clicking "download" downloads the fake Skype encryption application, called "Skype Encryption v2.1," shown in the screenshot below.
Launching the application produces a window that gives you the option to "Encrypt" or "DeCrypt," shown in the screenshot below.
When you click "Encrypt," the application launches a message asking you to please wait while it encrypts your connection, shown in the screenshot below. To be clear, this application does not encrypt anything. Instead of encrypting your Skype traffic, the application downloads a Trojan from http://18.104.22.168/SkypeEncryption/Download/skype.exe. This is the same Syrian IP address used in attacks described by TrendMicro, Symantec, Cyber Arabs, and in several of EFF's blog posts.
Once your connections are allegedly encrypted, the application launches a window that says, "Your Connections are Now Completely Encrypted ! ..... Enjoy," as shown in the screenshot below.
In the meantime, this application installs the DarkComet remote access tool on your computer. DarkComet allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, and steal passwords from your computer. Unlike the version of DarkComet described in the TrendMicro post, which is detectable by some anti-virus software, this version of DarkComet is not detectable by any anti-virus software at this time. For a detailed discussion of how to find and remove DarkComet from your computer, see this blog post.
Syrian Internet users should be especially careful about downloading applications from unfamiliar websites. The fake Skype encryption site showed many obvious signs that it might not be legitimate, from the misspelling of "encryption" to the abuse of Comic Sans, but we can expect future attacks to be more sophisticated.