Article by Eva Galperin and Morgan Marquis-Boire
Since the beginning of the year, pro-Syrian-government hackers have steadily escalated the frequency and sophistication of their attacks on Syrian opposition activists.
The latest surveillance malware comes in the form of an extracting file which is made to look like a PDF if you have file extensions turned off. The PDF purports to be a document concerning the formation of the leadership council of the Syrian revolution and is delivered via Skype message from a known friend.
The malware installs a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more.
It sends this data back to the same IP address in Syrian IP space that was used in several previous attacks, including the attacks reported by CNN in February, the Xtreme RAT Trojan EFF reported in March, and this sample from March 21st.
Syrian Internet users should be extremely cautious about clicking on suspicious-looking links, or downloading documents over Skype, even if the document purportedly comes from a friend.
The self-extracting file is named:
- ورقة حول مجلس القيادة_asrcs.fdp.scr
On extraction, it performs several actions, including opening a PDF file. Other files are then dropped:
- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\(Empty).lnk
- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ورقة حول مجلس القيادة.pdf
Additionally, after you start typing, it creates a keylogger directory:
Windows Task Manager displays a process that indicates the DarkComet RAT is running on your computer. Go to your Windows Task Manager by pressing Ctrl+Shift+Esc and click on the Processes tab. The process is called svchost.exe and runs under your username. In this example, the user is Administrator.
As of Wednesday April 4th, this Trojan is not detected by any anti-virus program. However, it is detectable by the DarkComet RAT removal tool, written by the same developer that originally wrote DarkComet RAT. The YouTube phishing attack also installed DarkComet RAT and is detectable via the DarkComet RAT removal tool DarkComet RAT Remover v1.0.
EFF is deeply concerned to see targeted attacks on Syrian Internet activists continue. We are even more concerned by evidence suggesting that a subset of the attacks are being carried out by the same individual or group somewhere inside of Syria. We will continue to keep a close eye on developments.
Cross-posted from Electronic Frontier Foundation