New Malware Targeting Syrian Activists Uses Blackshades Commercial Trojan
Since March of this year, EFF has reported extensively on the ongoing campaign to use social engineering to install surveillance software that spies on Syrian activists. Syrian opposition activists have been targeted using several Trojans, including one disguised as a Skype encryption tool and others disguised as revolutionary documents.
As we've tracked these ongoing campaigns, patterns have emerged that link certain attacks to one another, indicating that the same actors, or groups of actors are responsible. More than a dozen of these attacks have installed versions of the same remote access tool, DarkComet RAT, and reported back to the same IP address in Syrian address space. DarkComet RAT's increasingly close association with pro-Syrian-government malware, combined with the Human Rights Watch report on the Assad regime's network of torture centers, may have motivated the project's sole developer to shut it down, declaring his intention to work on an alternative tool that more closely resembles VNC and requires administrative access to install.
Pro-Syrian government hackers appear to have moved on to another remote access tool: Blackshades Remote Controller, whose capabilities include keystroke logging and remote screenshots. EFF reported on the use of this tool in malware targeting officers of the Free Syrian Army on June 19th. Similar command and control domains suggest that this campaign is being carried by the same actors responsible for the fake YouTube attack we reported in March, which lured Syrian activists in by advertising pro-opposition videos, stole their YouTube login credentials by asking them to log in before leaving a comment, and installed surveillance malware disguised as an Adobe Flash Player update.
A new campaign, using Blackshades Remote Controller, has been discovered via a message sent from a compromised Skype account to an individual working with the Syrian opposition, seen in the screenshot below. Roughly translated, the message reads: "There is a person who hates you, and keeps talking about you. I took a screenshot of the conversation. Please beware of this person, as he knows you personally. This is a screenshot of the conversation."
Clicking on this link--(http://14wre.co.za/new.zip - now dead because the malicious software has been removed)--provided new.zip, which unzipped to new.pif.
This malware attempts to connect to the command and control server at: alosh66.servecounterstrike.com. While the DNS provider for this domain has been notified and the domain has been disabled, the last IP address that this domain resolved to was 184.108.40.206. The subdomain "alosh66" appeared in the command and control domains of the two other campaigns EFF has described above.
This sample drops the following files:
C:\Documents and Settings\Administrator\Templates\THEMECPL.exe, a copy of the malware itself copied to the templates folder, shown in the screenshot below.
And C:\Documents and Settings\Administrator\Application Data\demo.exe, a version of AppLaunch.exe, the Microsoft ClickOnce Launcher, shown in the screenshot below, along with the keylogger file, C:\Documents and Settings\Administrator\Application Data\data.dat.
If you see these files on your computer, you have been infected with BlackShades. If your computer is infected, deleting the above files or using anti-virus software to remove the Trojan does not guarantee that your computer will be safe or secure. This malware gives an attacker the ability to execute arbitrary code on the infected computer. There is no guarantee that the attacker has not installed additional malicious software while in control of the machine.
Some anti-virus vendors recognize this malware as BlackShades Remote Controller. You may try updating your anti-virus software, running it, and using it to remove the Trojan if it comes up, but the safest course of action is to re-install the OS on your computer and change the passwords to any accounts you have logged into since the time of infection.
EFF urges Syrian activists to be especially cautious when downloading files over the Internet, even in links that are purportedly sent by friends. While Syrians have become increasingly sophisticated in their privacy and security practices, pro-Syrian-government actors have also increased the frequency and sophistication of their campaigns. In light of disturbing reports documenting the use of torture by Syrian security forces in detention facilities across the country, the need for caution is greater than ever.
Recent DeepLinks Posts
Nov 24, 2015
Nov 23, 2015
Nov 23, 2015
Nov 20, 2015
Nov 20, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games