Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Technology News

Syrian Activists targeted by Blackshades Trojan

Paul Anderson by Paul Anderson
July 17, 2012
in Technology News
1
EFF444
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

EFF444Since March of this year, EFF has reported extensively on the ongoing campaign to use social engineering to install surveillance software that spies on Syrian activists.

You might also like

Megaupload Plans to Return After 5 Years

Clinton pledges to grow the technology sector

Twitch.tv punishes view bot maker with a lawsuit

Syrian opposition activists have been targeted using several Trojans, including one disguised as a Skype encryption tool and others disguised as revolutionary documents.

As we’ve tracked these ongoing campaigns, patterns have emerged that link certain attacks to one another, indicating that the same actors, or groups of actors are responsible. More than a dozen of these attacks have installed versions of the same remote access tool, DarkComet RAT, and reported back to the same IP address in Syrian address space.

DarkComet RAT’s increasingly close association with pro-Syrian-government malware, combined with the Human Rights Watch report on the Assad regime’s network of torture centers, may have motivated the project’s sole developer to shut it down, declaring his intention to work on an alternative tool that more closely resembles VNC and requires administrative access to install.

Pro-Syrian government hackers appear to have moved on to another remote access tool:Blackshades Remote Controller, whose capabilities include keystroke logging and remote screenshots. EFF reported on the use of this tool in malware targeting officers of the Free Syrian Army on June 19th.

Similar command and control domains suggest that this campaign is being carried by the same actors responsible for the fake YouTube attack we reported in March, which lured Syrian activists in by advertising pro-opposition videos, stole their YouTube login credentials by asking them to log in before leaving a comment, and installed surveillance malware disguised as an Adobe Flash Player update.

A new campaign, using Blackshades Remote Controller, has been discovered via a message sent from a compromised Skype account to an individual working with the Syrian opposition, seen in the screenshot below. Roughly translated, the message reads: “There is a person who hates you, and keeps talking about you. I took a screenshot of the conversation. Please beware of this person, as he knows you personally. This is a screenshot of the conversation.”

2a94e09a8b6512124b72d02dcfe44a84

Clicking on this link–(http://14wre.co.za/new.zip – now dead because the malicious software has been removed)–provided new.zip, which unzipped to new.pif.

430f220ee9b3083b43347918dbda3051145734e243e92b966a99990376c21eb8 new.pif

This malware attempts to connect to the command and control server at: alosh66.servecounterstrike.com. While the DNS provider for this domain has been notified and the domain has been disabled, the last IP address that this domain resolved to was 31.9.48.11. The subdomain “alosh66” appeared in the command and control domains of the two other campaigns EFF has described above.

This sample drops the following files:

C:\Documents and Settings\Administrator\Templates\THEMECPL.exe, a copy of the malware itself copied to the templates folder, shown in the screenshot below.

14b6181a0762f6cfad9365eecd58f526

C:\Documents and Settings\Administrator\Local Settings\Temp\sppnp.exe, BlackShades RAT, shown in the screenshot below. This is very similar to the previous installation detailed by Citizen Lab.

794940ec688864c9656083e7d00b27c6

And C:\Documents and Settings\Administrator\Application Data\demo.exe, a version of AppLaunch.exe, the Microsoft ClickOnce Launcher, shown in the screenshot below, along with the keylogger file, C:\Documents and Settings\Administrator\Application Data\data.dat.

7696e0bfe1064f06fdb665489ace3fed

If you see these files on your computer, you have been infected with BlackShades

If your computer is infected, deleting the above files or using anti-virus software to remove the Trojan does not guarantee that your computer will be safe or secure. This malware gives an attacker the ability to execute arbitrary code on the infected computer. There is no guarantee that the attacker has not installed additional malicious software while in control of the machine.

Some anti-virus vendors recognize this malware as BlackShades Remote Controller. You may try updating your anti-virus software, running it, and using it to remove the Trojan if it comes up, but the safest course of action is to re-install the OS on your computer and change the passwords to any accounts you have logged into since the time of infection.

EFF urges Syrian activists to be especially cautious when downloading files over the Internet, even in links that are purportedly sent by friends. While Syrians have become increasingly sophisticated in their privacy and security practices, pro-Syrian-government actors have also increased the frequency and sophistication of their campaigns.

In light of disturbing reports documenting the use of torture by Syrian security forces in detention facilities across the country, the need for caution is greater than ever.

Source: Electronic Frontier Foundation

Tags: blackshadesmalwarespysyrian
Share30Tweet19
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

Megaupload Plans to Return After 5 Years

by Paul Anderson
July 15, 2016 - Updated on May 26, 2022
0
Megaupload Plans to Return After 5 Years

The huge file-sharing website, Megaupload is scheduled to relaunch, five years after being raided and shut down by the FBI. After its owner, Kim Dotcom, was detained and...

Read more

Clinton pledges to grow the technology sector

by Paul Anderson
July 2, 2016
0
Clinton pledges to grow the technology sector

Speaking in Denver on Tuesday at a startup incubator called Galvanize, Democratic presidential hopeful Hillary Clinton made quite a few proposals concerning intellectual property and called for administrative...

Read more

Twitch.tv punishes view bot maker with a lawsuit

by Paul Anderson
June 21, 2016
0
Twitch.tv punishes view bot maker with a lawsuit

Twitch has had it with bots that unnaturally increase view counts for videos. The game-streaming company is now handing out lawsuits to programmers of these bots. In a post...

Read more

DMCA requests quadruple in two years says Google

by Kyle
June 20, 2016
0
DMCA requests quadruple in two years says Google

Google has been bombarded with DMCA takedown requests. The corporation has seen the volume of takedown notices from rights holders quadruple over the last two years. In 2016...

Read more

FBI in possession of 411 Million facial recognition photos

by Paul Anderson
June 18, 2016
0
FBI in possession of 411 Million facial recognition photos

Privacy specialists are disputing this week the FBI, which keeps a massive – and apparently even bigger than anticipated database of facial recognition photos, isn't doing enough to...

Read more
Next Post

Grum botnet loses Netherlands-based servers

Related News

Netwire RAT seized by FBI and other worldwide police agencies

Netwire RAT seized by FBI and other worldwide police agencies

March 16, 2023
The Emotet botnet returns and is sending a slew of malicious emails

The Emotet botnet returns and is sending a slew of malicious emails

March 14, 2023
Update-resistant malware infects SonicWall security appliances

Update-resistant malware infects SonicWall security appliances

March 12, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.