May 31, 2012 | By Eva Galperin and Morgan Marquis-Boire

Trojan Hidden in Fake Revolutionary Documents Targets Syrian Activists

The campaign to use social engineering to install surveillance software that spies on Syrian activists is growing ever more complex as violence in Syria has escalated. Since the beginning of the year, Syrian opposition activists have been targeted using several Trojans, including one disguised as a Skype encryption tool, which covertly install spying software onto the infected computer, as well as a multitude of phishing attacks which steal YouTube and Facebook login credentials.

The latest campaign contacts targeted Syrian activists over Skype and delivers a Trojan by getting the targets to download a fake PDF purporting to contain a plan to assist the city of Aleppo, where opposition protest has been growing steadily since a raid on Aleppo University dormitories resulted in the deaths of four students and a temporary shutdown of the state-run school earlier this month. Like many of the attacks we have reported on, this one installs a Trojan called DarkComet RAT, a remote administration tool that allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more--and sends that sensitive information to the same Syrian IP address used in attacks described by TrendMicro, Symantec, Cyber Arabs, and in several of EFF's blog posts.

The attack is initiated over Skype with the following message in Arabic:

[29/05/2012 18:03:44] Aleppo Team || ...: اخر تعديل لخطة حلب حان وقت الجهاد
[29/05/2012 18:03:46] Aleppo Team || ...: أرسل الملف "خطة النهاية2.rar"

Roughly translated into English as:

[29/05/2012 18:03:44] Aleppo Team | | ...: Last modified plan Aleppo time for Jihad
[29/05/2012 18:03:46] Aleppo Team | | ...: Send the file "plan eventually 2.rar"

Extraction of the rar file creates a directory called:خطة حلب or "Plan Aleppo," shown in the screenshot below.

Inside this is a file called: aleppo_plan_ خطة_تحريك_حلب cercs.pdf. The right-to-left text display makes this appear to be a PDF file, but is it an SCR, shown in the screenshot below.

The SCR file is malware.

The file that we have analyzed is aleppo_plan_ خطة_تحريك_حلب cercs.pdf, md5Sum bc403bef3c2372cb4c76428d42e8d188.

It displays a PDF while dropping the following files, shown in the screenshot below:

C:\Documents and Settings\Administrator\StartMenu\Programs\Startup\(empty).lnk
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\explorer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Aleppo plan.pdf
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Firefox.dll

It runs explorer.exe, which installs DarkComet RAT and also opens a PDF which describes a plan to assist Aleppo in the revolution. The document includes a detailed discussion of logistics and would potentially be very interesting to Syrian dissidents and activists. Some of the content may be genuine, but there are also some aspects of the PDF that might raise the suspicions of a keen-eyed reader, including the flag across the top of the document, which is the flag of the Assad regime rather than the flag of the revolution.

As of May 29th, this version of DarkComet is not detectable by any anti-virus software. For a detailed discussion of how to find and remove DarkComet from your computer, see this blog post.

Syrian Internet users should be especially careful about downloading documents sent over Skype, even if the message purportedly comes from a friend.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

New Dutch surveillance law may allow bulk interception of encrypted communication: https://eff.org/r.27eh

Jul 30 @ 5:31pm

Netzpolitik confirms that German authorities are investigating its journalists for reporting on mass surveillance: https://eff.org/r.o8c5

Jul 30 @ 5:14pm
Jul 30 @ 2:56pm
JavaScript license information