A new set of malware campaigns targeted at Syrian activists, journalists and NGOs has emerged, and security researchers say that the attackers are employing a variety of tactics, including a new OS X Trojan that could be part of a “false flag” operation.
The details of the new round of attacks on government opposition groups in Syria show that, despite attention focused on the problem for the last year or so, attackers are continuing to refine their methods and develop new malware and social engineering tactics. Researchers at Citizen Lab and EFF have been looking at the new malware campaigns, and in a new report they describe a diverse set of attacks that are targeting a variety of people and organizations involved in the anti-government efforts in Syria.
In the past, most of the attacks have fallen into a couple of fairly easily identifiable categories. But now, the groups behind these latest attacks are using a wider variety of tools to compromise their targets, including several remote-access Trojans and the OS X malware.
“Opposition groups continue to be targeted with phishing and malware attacks by pro-Assad hackers, but the attacks are getting curiouser and curiouser,” Eva Galperin, a global policy analyst at EFF, said. “Up until now, the campaigns have all been very similar to one another. Now we’re starting to see attacks that don’t fit into these patterns but seem to deliberately implicate pro-Assad hackers.”
The new report, “Quantum of Surveillance“, shows that there are likely some familiar attackers behind the new operations. There are two specific pieces of malware involved in the attack, njRAT and Xtreme RAT, that are being sent out in targeted phishing emails to groups and individuals involved in the Syrian resistance. They’re both used to exfiltrate data from compromised machines and Xtreme RAT has keystroke logging capabilities. Researchers said that both njRAT and Xtreme RAT have been seen in attacks in Syria before.
Xtreme RAT is being sent in a couple of different emails, one of which contains a ZIP archive of a graphic video of a man being executed. After looking at that campaign, the researchers discovered a second campaign that also was using the same malware.
“Xtreme RAT has long been associated with malware targeted at the Syrian opposition. A week later, we identified a second attack that also deployed Xtreme RAT, again sent as a malicious email attachment. The sender’s address and the attachment title suggested links to the Free Syrian Army and/or the Syrian opposition,” the researchers said in the paper.
The two campaigns use the same command and control infrastructure and the researchers believe that they may be connected to a similar campaign earlier this year.
“Upon examination of the site linked to this attack (http://mrconstrucciones.net/js/), which appeared to have been the hacked site of a Mexican company, we found six malware binaries contained in various file types (.pif, .rar, .zip, and .php). As further evidence that this attack and the previous attack are linked, this directory contained the world-viewable (for a time) identical “video31.zip” file described above,” the researchers said.
“The two pieces of malware we’ve described are similar to the ones analyzed by Citizen Lab in our report from June 2013. The malware uses a command and control server whose domain (http://tn1.linkpc.net:81/123.functions) resolves to the same IP address as the command and control server described in the Citizen Lab report (http://tn5.linkpc.net:81/123.functions). We continue to see malware campaigns pointing to both domains.”
One odd bit of evidence that the researchers uncovered was an OS X Trojan that had been used in attacks as early as September. The malware is mailed out to users in Syria, but the researchers found that, despite speculation in the media, there was no connection between the Trojan and the infamous Syrian Electronic Army attack group.
“Why the attacker would want to associate their malware with the Syrian Electronic Army is unclear, but the preponderance of evidence appears to suggest that this operation is unrelated to campaigns we have been tracking since 2011,” they said.
Image from Flickr photos of Nicolas Raymond.