Wednesday, June 20, 2012

Syrian Activists Targeted with BlackShades RAT


One of the attackers who has been targeting Syrian anti-government activists with malware and surveillance tools has returned and upped the ante with the use of the BlackShades RAT, a remote-access tool that gives him the ability to spy on victims machines through keylogging and screenshots.

The original attacks against Syrian activists, who are working against the government's months-long violent crackdown, were using another RAT known as Xtreme RAT, with similar capabilities. That malware was being spread through a couple of different targeted attacks, including one in which activists were directed to YouTube videos and their account credentials were then stolen when they logged in to leave comments.

That attack continued with the installation of the RAT, giving the attacker surreptitious access to the victims' machines, enabling him to monitor their activities online. Now, researchers say that at least one attacker who is known to be involved in these targeted attacks also is using the BlackShades RAT in a new set of attacks.

The new attack is being run by spreading a malicious link to dissidents. When a victim clicks on the link, it takes him to a site that downloads a file called "new_new .pif." That file then goes through a long infection routine that includes the installation of several files. One of the files that's installed is a keylogger and the malware also creates a number of registry keys that ensure persistence on the machine, according to an analysis of the attack by researchers at the EFF and Citizen Lab.


For those interested in samples, Mila posted copies of all three RATs used to target Syrian anti-government activists.

No comments:

Post a Comment