Campaign Targeting Activists Escalates with New Surveillance Malware

Sunday, April 08, 2012

Article by Eva Galperin and Morgan Marquis-Boire

Since the beginning of the year, pro-Syrian-government hackers have steadily escalated the frequency and sophistication of their attacks on Syrian opposition activists.

We have reported on several Trojans, which covertly install spying software onto the infected computer, as well as phishing attacks which steal YouTube and Facebook login credentials.

The latest surveillance malware comes in the form of an extracting file which is made to look like a PDF if you have file extensions turned off. The PDF purports to be a document concerning the formation of the leadership council of the Syrian revolution and is delivered via Skype message from a known friend.

The malware installs a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more.

It sends this data back to the same IP address in Syrian IP space that was used in several previous attacks, including the attacks reported by CNN in February, the Xtreme RAT Trojan EFF reported in March, and this sample from March 21st.

Syrian Internet users should be extremely cautious about clicking on suspicious-looking links, or downloading documents over Skype, even if the document purportedly comes from a friend.

The self-extracting file is named:

  • ورقة حول مجلس القيادة_as‮rcs.fdp.scr

On extraction, it performs several actions, including opening a PDF file. Other files are then dropped:

  • C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\(Empty).lnk
  • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ورقة حول مجلس القيادة.pdf
  • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Explorer.exe
  • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msdlg.ocx

Additionally, after you start typing, it creates a keylogger directory:

  • C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dclogs

Windows Task Manager displays a process that indicates the DarkComet RAT is running on your computer. Go to your Windows Task Manager by pressing Ctrl+Shift+Esc and click on the Processes tab. The process is called svchost.exe and runs under your username. In this example, the user is Administrator.

As of Wednesday April 4th, this Trojan is not detected by any anti-virus program. However, it is detectable by the DarkComet RAT removal tool, written by the same developer that originally wrote DarkComet RAT.  The YouTube phishing attack also installed DarkComet RAT and is detectable via the DarkComet RAT removal tool DarkComet RAT Remover v1.0.

EFF is deeply concerned to see targeted attacks on Syrian Internet activists continue. We are even more concerned by evidence suggesting that a subset of the attacks are being carried out by the same individual or group somewhere inside of Syria. We will continue to keep a close eye on developments.

Cross-posted from Electronic Frontier Foundation

Possibly Related Articles:
General Legal
Passwords Trojans malware Attacks Sniffing keylogger Electronic Frontier Foundation Activists DarkComet RAT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.