More than 90 arrests have been made in connection with development and sales of a remote access Trojan used worldwide to steal data and spy on victims, including Syrian dissidents.
The FBI and the Manhattan U.S. Attorney’s office yesterday announced the takedown of the Blackshades operation responsible for the inexpensive and invasive RAT which Citizen Lab of Canada exposed in 2012 as a tool allegedly used by the Syrian government to spy on activists in that country. The RAT was also used by 20-year-old Jared Abrahams to spy on Miss Teen USA Cassidy Wolf in an extortion scheme; Abrahams was sentenced in March to 18 months in federal prison.
“As today’s case makes clear, we now live in a world where, for just $40, a cybercriminal halfway across the globe can – with just a click of a mouse – unleash a RAT that can spread a computer plague not only on someone’s property, but also on their privacy and most personal spaces.” U.S. Attorney Preet Bharara said.
Blackshades was available on criminal forums for as little as $40, giving criminals the ability to remotely turn victims’ computers into surveillance devices. According to the Justice Department, once the victim was lured into downloading the RAT via drive-by downloads or spam, the malware could exfiltrate files, drop a keylogger that would steal credentials, and give the hackers access to the compromised machine’s webcam.
The FBI said the RAT was sold and distributed to thousands in more than 100 companies and is responsible for more than 500,000 infections. The RAT also had the capability of spreading itself to other machines by spoofing malicious links to social network contacts or over IM platforms.
“It required no sophisticated hacking experience or expensive equipment,” Assistant Director-in-Charge of the FBI George Venizelos said.
Officials said criminals could remotely manage compromised computers via a backdoor installed by the RAT; a management interface provided the attacker with system information, including whether a webcam was accessible.
“The user could, among other things, remotely activate the victim’s web camera. In this way, the user could spy on anyone within view of the victim’s webcam inside the victim’s home or in any other private spaces where the victim’s computer was used,” the Justice Department said in a statement.
The RAT could also force victim computers to join a botnet and be used in distributed denial-of-service attacks, the Justice Department said.
The FBI said it became aware of Blackshades during its takedown of a carding operation known as Operation Cardshop. Through this operation, the FBI said it was able to identify those in charge of Blackshades, Swede Alex Yucel, 24, and American Michael Hogue, 23 of Arizona. The FBI yesterday unsealed an indictment against Yucel, while Hogue was arrested in 2012 and pled guilty to charges related to the Operation Cardshop takedown; both are alleged co-developers of the Blackshades malware. Yucel is awaiting extradition to the U.S. after his arrest in Moldova, the FBI said.
“The charges unsealed today showcase the top to bottom approach the FBI takes to its cases. We tackled this malware starting with those that put it in the hands of the users- the creators and those who helped make it readily available- the administrators,” the FBI’s Venizelos said. “We will continue to work with our law enforcement partners to bring to justice anyone who used Blackshades maliciously.”
Also arrested in the last two days were Brendan Johnston, 23 of California, who is alleged to have helped market and sell Blackshades malware; Kyle Fedorek, 26 of New York, who allegedly used the RAT to steal from hundreds of victims; and Marlen Rappa, 41 of New Jersey, who allegedly used the RAT to spy on victims and steal online account credentials and data.
The Justice Department said the takedown included the cooperation of law enforcement in 19 countries and involved more than 300 searches; the investigation is ongoing.