OFFICIAL SECURITY BLOG
June 21, 2012 | BY Adam Kujawa
As reported by the Electronic Frontier Foundation (EFF) earlier this week, a new Trojan is being spread to Syrian activists in an attempt to employ electronic surveillance on the group and its members. This Trojan is none other than the BlackShades RAT I blogged about last week as Part 2 of a series on different RATs found in the wild. As it turns out the first blog post on DarkComet has also been used against the activists in the past.
Syria is currently undergoing a very serious and bloody internal war between the government and the opposition forces or activists who want to see the tyranny and injustice shown by the country’s top leaders come to an end. I cannot speak about it in detail but can only refer you to this video by CNN which explains everything very well up to now:
Beyond attempting to squash opposition on the ground with the use of tanks and guns, attempts have been made to do the same thing in the cyber arena, by pitting people against each other and destroying communication, at the same time collecting vital information on the communications of the activists. In order to accomplish this, three types of Remote Access Trojans/Tools have been used against the activists with various methods of infection.
According to the EFF, the hackers who have been infecting the systems of the Syrian activists are the same ones who had previously been infecting them with DarkComet. They had accomplished this by leading the victims to a fake YouTube video page which had anti-government opposition themes, upon accessing these pages, the download and installation of an Adobe Flash Update would be required, however the updater executable was actually a DarkComet implant in disguise. It also allowed for the victims to log-in with their real YouTube credentials to leave comments, at which point the credentials would be stolen and used against the activists, possibly to spread the fake YouTube video to any contacts.
The new infection method used with BlackShades includes distributing the implants through Skype as a “.pif” file. The EFF was able to document this based on the sample they obtained of the malware, which was obtained by an officer of the Free Syrian Army through his Skype account. After downloading and executing the file, it automatically infected his system and sent out the same link to the file as he received, which described the download as an “Important Video”, to all of his contacts.
As I mentioned in the blog post, BlackShades NET has the ability to create implant binaries which employ custom obfuscation algorithms or Crypters, which can be bought through the Bot/Crypter marketplace embedded in the BlackShades controller. The implant sample collected from infected systems of the Syrian activists uses one of these custom Crypters in order to hide the implant binary from detection.
According to Citizen Lab, a laboratory at the University of Toronto whom conducted an in-depth analysis of the collected implant sample, at the time they released their results online, the malware variant was undetected by any of the antivirus engines used by VirusTotal. However, thanks to the diligence and observations of the Researchers at Malwarebytes, the samples noted as ‘Undetected’ by Citizen Lab were being detected by Malwarebytes Anti-Malware definitions 9 days before the release of the Citizen Lab report on June 7th.
To summarize a very interesting and technical explanation:
- The User “Templates” directory
- The User “Temp” directory
- It is important to note that alosh55 is of a similar naming convention of the beacon address for the previously used DarkComet RAT which, according to Citizen Lab, was alosh66. This connection, in addition to their finding of both the alosh55 and alosh66 pointing to the same IP address for consecutive days, allowed for the conclusion that both the attacks used with the DarkComet RAT and the new ones with the BlackShades RAT are being performed by the same actor.
EFF mentioned that one of the capabilities of BlackShades is installing a keylogger and a screenshot grabber; we know that these are only the minor capabilities of BlackShades. However taking that into consideration, what can happen if the information obtained from using these types of functionality were put in the wrong hands? I created a list of what that info is and what it can be used for in the hands of state-sponsored hackers:
Keylogging is one of the simple features available to BlackShades users, however unlike most keyloggers, the BlackShades interface allows for a very understandable feed of key presses by the infected user. Using this functionality, hackers can obtain:
We know that BlackShades has the capability to remotely control a system by taking over the input of the user, combined with other features of BlackShades, the hacker has the ability to:
While the use of being able to remotely activate and monitor the webcam attached to a computer allows a hacker to invade user privacy on many levels, I can think of only a few uses to government sponsored hackers:
BlackShades includes many more features which would be useful to government sponsored hackers, including:
If you are curious about any further functionality of BlackShades, please check out my blog post from last week: You Dirty RAT Part 2: BlackShades NET
Unlike Flame, which had little likelihood of reaching the general public and being a threat to the normal person, BlackShades is a very real threat to the average user. It is because it isn’t only used in political or international conflicts, it is used on the everyday person to steal information, spy and exploit people every day. My BlackShades blog post goes into some detail about how to most effectively protect your system from being compromised by a BlackShades implant. In addition, the EFF included a portion of their report on how to protect yourself from this threat and I encourage you to check it out.
As stated previously, Malwarebytes Anti-Malware was able to detect the obfuscated BlackShades implants 9 days before the release of the Citizen Lab report. In saying that, Malwarebytes Anti-Malware works in conjunction with pre-existing antivirus software to add a second layer of protection against new and upcoming threats. If you are concerned with the possibility of being infected by this or a similar type of malware, please download and install, at the very least, the free version of Malwarebytes Anti-Malware to protect your information.
While writing this I couldn’t help but consider a few things that threw up some flags for me and I thought would be interesting to share. Namely it was about the choices made by the hackers in their design and execution of their attacks compared to the espionage efforts of other, more developed countries.
While we didn’t go into it very deep in my BlackShades blog post, port 4444 is set as the default transfer port, and according to Citizen Lab, it was the port they saw being used by BlackShades to connect to its C2C. This means that regardless of all the obfuscation used by the hackers to hide the implant binary, they are still using the at least some of the default settings for the implants themselves. This is usually a sign of a lack of experience using this kind of tool or a lack of concern for using the tool correctly.
Despite BlackShades being a pretty mean piece of software, you still have to wonder about the fact that a state-sponsored hacker or hacker group is using freely available malware that is more often seen in the hands of Script Kiddies and organized cyber-crime organizations. There is a small price ($40) for BlackShades and of course however much they paid for the Crypters, but DarkComet is completely free! Over the past few weeks, we have seen the most intricate piece of spy malware ever developed (Flame) and being used for cyber espionage purposes against the infrastructure of developed countries, and then we look at the poverty stricken government of Syria and see over-the-counter RATs being used. It is clear that even in cyber war, the more developed countries have better weapons while the poorer countries use whatever they can get their hands on.
The hackers behind the attacks and infection of Syrian activists are not employing sophisticated methods of espionage and infection but only the same tactics as the average cybercriminal. The fact that default settings and publicly used RATs are being used means that the hackers are not especially skilled in cyber espionage and are just using what they can in order to get the most results.
In addition, this is just one case of publicly available malware being used beyond the means it was ever intended. A while ago, when speaking about Flame, I asked the question “How much super malware could really be out there?” In this instance, I ask: ‘How much publicly available and widely used malware is being used every day for purposes of great importance, such as war or cyber-espionage on a corporate or international level?’ Lucky for us there is only so many ways to mask a variant of the same malware, as long as we know about it, we can fight it.