There is a new attack campaign that’s targeting dissidents in Syria by enticing them to install an alleged security tool called AntiHacker, but instead installs the infamous DarkComet remote access tool that has the ability to log keystrokes, capture webcam images and take other surreptitious actions.
The new attack is essentially a highly targeted campaign that delivers a nasty piece of malware capable of conducting surveillance on victims and their PCs without their knowledge. The EFF, which analyzed the attack, found that it is targeting people in the Syrian resistance and found similarities to previous such attacks. DarkComet has been used in attacks attributed to the Syrian government in recent months, and one such attack prompted the developed of the RAT to discontinue its development and sale.
This time around, the attackers are trying to play upon users’ fears of other security threats to goad them into downloading and installing the AntiHacker tool, which it’s offering on a Facebook page and a separate site. However, once the victim downloads the application, it installs the DarkComet RAT, a sophisticated tool that gives the attacker a high level of control of the user’s machine.
“EFF’s analysis indicates that this campaign is the work of the same actors behind several malware campaigns that lured their targets in using fake revolutionary documents and a fake Skype encryption tool–campaigns that date back to at least November 2011,” Eva Galperin and Morgan Marquis-Boire of the EFF said.
“While it proports to provide security against hackers, AntiHacker instead installs a remote access tool called DarkComet RAT, which allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more. Over a dozen of the attacks EFF has analyzed have installed versions DarkComet.”
Like many tools of its ilk, DarkComet gives the attacker the ability to steal data from a target machine, listen in remotely on communications and take a variety of other unwanted actions. Once installed and executed on the victim’s machine, the AntiHacker application shows the user a couple of shady looking dialog boxes with obvious grammatical errors. It then reaches out to a remote server at IP address 126.96.36.199 and downloads a file called “google.exe”, which is the file that contains DarkComet.
Then the badness begins. The malware installs a couple of files and creates an entry in the Startup menu so that it will run each time the machine boots up. Although DarkComet has been in circulation for some time, there are a lot of different versions of the tool and the EFF said this one has the ability to evade most antimalware systems.
“This version of DarkComet is not detectable by any anti-virus software as of August 1, 2012. However, it is detectable by the DarkComet RAT removal tool, written by the same developer that originally wrote DarkComet RAT,” Galperin and Marquis-Boire said.