Blackshades RAT Pops Up in Attacks on Syrian Activists

They just do not stop having targeted malware attacks in Syria. Just a few days after the author of the Dark Comet RAT announced he was shutting down development and sales of the tool, partly because it was used in attacks by the Syrian government, experts have found that pro-government attackers are using the Blackshades RAT for similar attacks on anti-government activists.

They just do not stop having targeted malware attacks in Syria. Just a few days after the author of the Dark Comet RAT announced he was shutting down development and sales of the tool, partly because it was used in attacks by the Syrian government, experts have found that pro-government attackers are using the Blackshades RAT for similar attacks on anti-government activists.

The new attack uses a similar vector to the Dark Comet attacks, sending messages from a compromised Skype account to targets in the anti-government activist community. The messages warn the recipient that there’s some unnamed person saying bad things about him online.

“A new campaign, using Blackshades Remote Controller, has been discovered via a message sent from a compromised Skype account to an individual working with the Syrian opposition, seen in the screenshot below. Roughly translated, the message reads: ‘There is a person who hates you, and keeps talking about you. I took a screenshot of the conversation. Please beware of this person, as he knows you personally. This is a screenshot of the conversation,'” Eva Galperin and Morgan Marquis-Boire of the EFF wrote in an analysis of the attack.

If the victim clicks on the link that’s embedded in the message, a ZIP file is downloaded to the victim’s machine. Once unzipped, the file is installed on the PC and then it goes through a typical malware routine, looking for its parents and asking what it should do.

“This malware attempts to connect to the command and control server at: alosh66.servecounterstrike.com. While the DNS provider for this domain has been notified and the domain has been disabled, the last IP address that this domain resolved to was 31.9.48.11. The subdomain “alosh66″ appeared in the command and control domains of the two other campaigns EFF has described above,” Galperin and Marquis-Boire wrote.

A copy of the malware is installed in the Templates folder on the compromised machine and a separate file, that’s a keylogger, is created and installed, as well.

RATs, or remote access Trojans, have been around for a long time and have been used in targeted attacks and larger campaigns by a wide variety of actors. Most of them have similar features–keylogging, remote control, etc.–and are powerful tools for the attackers on the other end of the wire. Recently, some government and government-sponsored attackers have been using RATs such as Blackshades, Dark Comet and Gh0stRAT to go after activists who are working against the government’s interests. In addition to the incidents involving the Syrian activists, there have been attacks targeting Tibetan activists and government officials. 

Although many of these RATs are recognized by antimalware products, there are dozens of different versions of them and a small tweak here or there to a commercial RAT can help it bypass these defenses with ease. 

Suggested articles