The Electronic Frontier Foundation (EFF) warned this week that political activists in Iran and Syria are being targeted in malware attacks disgised as Adobe Flash Player updates on Youtube.
In a blog post by the EFF’s Eva Galperin and Morgan Marquis-Boire on Thursday said the attacks occur after users visit a fake Youtube page and are encouraged to update their Flash. The “update” in turn downloads a file, “setup.exe,” to their computer. Once installed via Microsoft’s .NET, it connects to a Syrian IP and downloads additional malware, giving attackers full access to the user’s computer. A phishing site connected to the bogus Youtube page has since been taken down where users were tricked into entering their actual Youtube credentials in order to comment on videos.
The scams follow a pattern as of late that’s seen a glut of of pro-Syrian government malware targeting activists.
A few weeks back, the EFF observed a new, versatile Trojan, Darkcomet RAT, which targeted Syrian activists. The Trojan was designed to harvest information from infected systems that could be useful to the regime in its attempts to suppress political dissent. Among other things, Darkcomet stole webcam activity, disabled notifications for antivirus programs, and even swiped passwords and keystrokes – communicating everything to a remote Syrian IP. An alternate form of malware, Xtreme RAT, was found a few weeks later tracking users via e-mail attachments, messenger programs and Skype.
A post on the Tor Project’s blog this week takes a deeper look into the Syrian malware. It describes in depth just how users are being infected via these mediums. With help from ThreatGRID’s Jonathan Tomek, Tor analyzed the files sent to activists and revealed that those behind Microsoft Powerpoint and image file attachments were being sent to victims. When those files were opened, malicious software including Trojan horse programs and key loggers are installed. Both relay information from victims’ computers to a domain that has been hosted in both Syria and London.
Popular unrest throughout the Middle East has prompted besieged governments there to turn to hacking and online surveillance in an attempt to quell popular uprisings. The Iranian government is believed to have been behind an attack on Dutch certificate authority Diginotar that allowed the attackers to make off with legitimate certificates that could be used to launch man in the middle attacks against Iranian citizens attempting to connect, securely, to sites like The Tor Project, Mozilla, WordPress and Yahoo. In the wake of that attack, Google warned users in Iran to use extra precautions to protect their identity online.
Elements supporting the Syrian regime have been known to act online before. Last year Hackers from the Syrian Electronic Army vandalized Harvard University’s website to spread a message sympathetic to the regime of Bashar al-Assad.