It’s a tried-and-true plotline for many a corny movie: the lonely soldier on the front lines falling for a girl who turns out to be the enemy. If you apply a 2015 reality to that scenario, you have the lonely soldier Skyping with an alluring woman who turns out to be an enemy hacker dropping custom malware on your Android device or PC.
In the latter case, this is an all-too-real script for opposition fighters taking on the forces of Syrian leader Bashar al-Assad.
Researchers at FireEye found a cache of stolen strategic and tactical documents, plans, maps and personal information belonging to opposition fighters stolen by an unknown group using social engineering and a custom version of the DarkComet remote access Trojan to learn the secrets of opposition forces.
Victims in Syria, Turkey, Lebanon, Jordan, Egypt and elsewhere in the Middle East and even Europe, fell for the same scam. In most cases, contact information from stolen Skype account databases were used to reach out to other opposition fighters over Skype. The hackers, using a female avatar who went by the name of Iman, would engage with the fighters over time, building a rapport, before enticing them with a malware-laden photograph of the supposed female. There were also corresponding Facebook and other social media accounts belonging to the same female avatar with links to malware-laden websites.
This appeal to basic human nature, combined with the harsh realities of poor connectivity and the necessity of having to share mobiles and PCs made for easy pickings for the hackers behind this operation. They had to compromise only a relatively small number of computers and phones, yet were able to steal 7.7 GB of data, including more than 12,000 contacts, 64 Skype account databases, logs of 31,000 Skype conversations and 240,000 messages. The stolen documents included military planning files, details on hardware and locations of fighters, names of fighters and weapons they were using. Political alliances and strategy discussions were exposed, as were personal details on those forced to live in refugee camps, humanitarian assistance details, documents pertaining to chemical weapons investigations, situation reports and lists of casualties, among other data.
“I think that the awareness about who they were after and playing on human nature made this work,” said Laura Galante, FireEye manager of threat intelligence. “It sounds cliché, but it’s what we see here and with a lot of these threats. If you’re able to get the human element right and compromise the right person and get them to make a poor choice, you have the hook to do what you want with that information.”
Galante said there were at least three phony female profiles used by the hackers, who mention Lebanon several times in their interactions with the rebel fighters, including a 2012 training course held in that country that described some of these same social engineering methods. FireEye, in its report, refers to a leaked Syrian intelligence memo describing the tactics used by pro-Assad recruits, many of whom have ties to Hezbollah.
Once rapport was established over Skype, the hackers would flat-out ask how the opposition fighters was communicating with them, i.e., over Android or PC, for example. Putting two-and-two together, the hackers would send a corresponding version of the malware, tailored for the particular platform.
You have the lonely soldier Skyping with an alluring woman who turns out to be an enemy hackerTweet
The use of DarkComet as a data-stealing tool is nothing new in APT-style targeted attacks and other espionage schemes, but in this case, this version of DarkComet came with a multistage dropper called Blackstar and a customized keylogger that Galante said is new. The report describes the dropper, memory injection of new running processes, multistage payloads, and the use of XOR keys to decode a shellcode payload.
FireEye said the campaigns relied exclusively on social engineering to spread and no exploits were used. Galante also said FireEye was unsure how the hackers were moving data. Other pro-Syrian hackers have used command and control servers inside of Syria, but FireEye said this campaign’s servers were located outside the country, indicating perhaps sponsorship outside Syria.
“What stands out is that they were developing for Android use and computers, that’s the first huge thing when we were looking at the malware,” Galante said. “It wasn’t particularly complicated or sophisticated. It illustrated that someone had taken the time to put development resources into adapting off-the-shelf malware.
“Couple that with the questions we saw the avatar asking,” Galante said, “and it’s pretty telling what was going on.”