As the civil war in Syria continues, malware targeting those who oppose the embattled regime of Bashar al Assad is increasing in number, organization and sophistication according to a new report from Kaspersky Lab’s Global Research and Analysis Team.
Most of the malware samples related to the Syrian conflict were found on activist websites and social media channels. The samples, nearly all of which are remote access tools (RATs), are being disseminated by groups that appear aligned with the Assad regime, though the report does not identify any specific attackers. Kaspersky Lab researchers claim the groups responsible for these campaigns rely almost entirely on social engineering to spread their malicious software.
RATs (also known as remote administration Trojans) have the capacity to fully compromise the system on which they are installed. Attackers can use them to steal user credentials, activate cameras and microphone functionality and control pretty much any aspect of an infected machine.
Interestingly, the researchers have seen evidence that victims have identified and launched distributed denial of service attacks against command and control servers involved in the campaigns.
Kaspersky Lab’s analysis uncovered 110 distinct malicious file packages as well as 20 domains and 47 IP addresses associated with the attack campaigns.
One novel social engineering tactic used includes a faux leaked document purporting to be a secret government list containing the names of individuals wanted by the regime. A second fake leak claims to hold information about chemical weapons use. In actuality, the documents contains a RAT designed to pilfer sensitive information from victims. Another scheme involves Youtube videos of the conflict which also encourage users to download fake, trojanized versions of popular communication tools, like WhatsApp and Viber.
Once the attackers infect a machine, they use information gleaned from it, such as login credentials, to deploy more malware through communication services like Skype and social networks. In each case, the attackers pose as the person whose computer they’ve compromised and offer what they claim are security tools – but which are actually RAT malware – to those listed as the infected users contacts.
The fake security tools listed in the Securelist report include a fake antivirus product, a fake encrypted VPN client, and a fake firewall.
“Total Network Monitor (which is a legitimate application) is inside another sample found, being used with embedded malware for spying purposes” the researchers write. “Offering security applications to protect against surveillance is one of the many techniques used by malware writing groups to get users desperate for privacy to execute these dubious programs.”
Victims targeted by these campaigns are located within Syria, of course, but also in Turkey, United Arab Emirates, Saudi Arabia, United States, France, Palestine, Isreal, Lebanon and Morocco. Command and control servers have been observed operating from Syria, Russia, Brazil, U.S., and Lebanon.
“The threat actors are becoming more organized, the number of attacks is increasing and the samples being used are becoming more sophisticated, while also relying extensively on powerful social engineering tricks that many people fall for.”
The reseachers say some of the malware deployed in the attacks has been downoaded more than 2,000 times. They estimates that there have been roughly 10,000 victims.
You can find an extended version of the Kaspersky Lab report with more information about specific attacks and malware here [PDF].