One of the attackers who has been targeting Syrian anti-government activists with malware and surveillance tools has returned and upped the ante with the use of the BlackShades RAT, a remote-access tool that gives him the ability to spy on victims machines through keylogging and screenshots.
The original attacks against Syrian activists, who are working against the government’s months-long violent crackdown, were using another RAT known as Xtreme RAT, with similar capabilities. That malware was being spread through a couple of different targeted attacks, including one in which activists were directed to YouTube videos and their account credentials were then stolen when they logged in to leave comments.
That attack continued with the installation of the RAT, giving the attacker surreptitious access to the victims’ machines, enabling him to monitor their activities online. Now, researchers say that at least one attacker who is known to be involved in these targeted attacks also is using the BlackShades RAT in a new set of attacks.
The new attack is being run by spreading a malicious link to dissidents. When a victim clicks on the link, it takes him to a site that downloads a file called “new_new .pif.” That file then goes through a long infection routine that includes the installation of several files. One of the files that’s installed is a keylogger and the malware also creates a number of registry keys that ensure persistence on the machine, according to an analysis of the attack by researchers at the EFF and Citizen Lab.
The malware has a relatively weak encryption routine that enables the binary to be decrypted with a key that’s included in the file.
“VSCover.exe contains “Libra” (30209 bytes) as a .NET resource which is encrypted using a weak method. Decryption is possible using the key stored internally. Once decrypted, it is loaded as a .NET assembly and the Piept() function is called,” Morgan Marquis-Boire and Seth Hardy of Citizen Lab wrote in their analysis.
After the decryption routine, the binary winds up being the BlackShades RAT. The malware then connects via TCP port 4444 to an IP address that is controlled by the Syrian Telecommunications Establishment. That’s the same address space that the attacker behind the fake YouTube attacks was using, and Citizen Lab said that in March, both pieces of malware were using the same C&C IP address.
“This evidence, combined with the similar naming convention, suggest that these attacks have been performed by the same actor.
This malware package (new_new .pif) is not well detected at this time, but it is detected by some anti-virus vendors. This version of the Black Shades RAT implant (VSCover.exe), is at the time of analysis (Jun 16th 2012) undetected,” Hardy and Marquis-Boire wrote.
The last few weeks have seen a lot of news about targeted attacks from various governments, in the form of tools such as Flame, Stuxnet and Duqu, against other nations. Those attacks are the kind of operations that are sort of expected from nations against their enemies. But the kind of attacks that are hitting Syrian dissidents, as well as activists in other nations, may be the more insidious and troublesome ones for regular citizens.