New Malware Targeting Syrian Activists Uses Blackshades Commercial Trojan
Since March of this year, EFF has reported extensively on the ongoing campaign to use social engineering to install surveillance software that spies on Syrian activists. Syrian opposition activists have been targeted using several Trojans, including one disguised as a Skype encryption tool and others disguised as revolutionary documents.
As we've tracked these ongoing campaigns, patterns have emerged that link certain attacks to one another, indicating that the same actors, or groups of actors are responsible. More than a dozen of these attacks have installed versions of the same remote access tool, DarkComet RAT, and reported back to the same IP address in Syrian address space. DarkComet RAT's increasingly close association with pro-Syrian-government malware, combined with the Human Rights Watch report on the Assad regime's network of torture centers, may have motivated the project's sole developer to shut it down, declaring his intention to work on an alternative tool that more closely resembles VNC and requires administrative access to install.
Pro-Syrian government hackers appear to have moved on to another remote access tool: Blackshades Remote Controller, whose capabilities include keystroke logging and remote screenshots. EFF reported on the use of this tool in malware targeting officers of the Free Syrian Army on June 19th. Similar command and control domains suggest that this campaign is being carried by the same actors responsible for the fake YouTube attack we reported in March, which lured Syrian activists in by advertising pro-opposition videos, stole their YouTube login credentials by asking them to log in before leaving a comment, and installed surveillance malware disguised as an Adobe Flash Player update.
A new campaign, using Blackshades Remote Controller, has been discovered via a message sent from a compromised Skype account to an individual working with the Syrian opposition, seen in the screenshot below. Roughly translated, the message reads: "There is a person who hates you, and keeps talking about you. I took a screenshot of the conversation. Please beware of this person, as he knows you personally. This is a screenshot of the conversation."
Clicking on this link--(http://14wre.co.za/new.zip - now dead because the malicious software has been removed)--provided new.zip, which unzipped to new.pif.
This malware attempts to connect to the command and control server at: alosh66.servecounterstrike.com. While the DNS provider for this domain has been notified and the domain has been disabled, the last IP address that this domain resolved to was 188.8.131.52. The subdomain "alosh66" appeared in the command and control domains of the two other campaigns EFF has described above.
This sample drops the following files:
C:\Documents and Settings\Administrator\Templates\THEMECPL.exe, a copy of the malware itself copied to the templates folder, shown in the screenshot below.
And C:\Documents and Settings\Administrator\Application Data\demo.exe, a version of AppLaunch.exe, the Microsoft ClickOnce Launcher, shown in the screenshot below, along with the keylogger file, C:\Documents and Settings\Administrator\Application Data\data.dat.
If you see these files on your computer, you have been infected with BlackShades. If your computer is infected, deleting the above files or using anti-virus software to remove the Trojan does not guarantee that your computer will be safe or secure. This malware gives an attacker the ability to execute arbitrary code on the infected computer. There is no guarantee that the attacker has not installed additional malicious software while in control of the machine.
Some anti-virus vendors recognize this malware as BlackShades Remote Controller. You may try updating your anti-virus software, running it, and using it to remove the Trojan if it comes up, but the safest course of action is to re-install the OS on your computer and change the passwords to any accounts you have logged into since the time of infection.
EFF urges Syrian activists to be especially cautious when downloading files over the Internet, even in links that are purportedly sent by friends. While Syrians have become increasingly sophisticated in their privacy and security practices, pro-Syrian-government actors have also increased the frequency and sophistication of their campaigns. In light of disturbing reports documenting the use of torture by Syrian security forces in detention facilities across the country, the need for caution is greater than ever.