Google’s Morgan Marquis-Boire is focusing on governmental use of topical social engineering, surveillance malware and remote access toolkits in Arab countries.While we’ve seen a steady stream of Facebook phishing attacks, we’ve also seen attacks focusing on Skype and YouTube. Many of you may have heard of the alleged recent suicide bombing of three senior military officials in Damascus. This campaign came out a couple of days ago. Emails were sent to Syrian pro-revolution mailing lists alleging that the site (see right-hand image) contained the final phone call from the Minister of Defense to his wife. It’s been made to look like a Skype site, and when you click on this picture it asks for your Skype credentials. So, topical social engineering has been a feature of these campaigns. Earlier this year in March someone started seeding pro-revolutionary forums on Facebook with these types of messages (see left-hand image). It says: “Urgent and critical video leaked by security forces and thugs. The revenge of Assad’s thugs against the free men and women of Baba Amr and captivity taken to ends raping one woman by Assad’s dogs. Please spread this”. Clicking that link leads you to a fraudulent YouTube site. A noteworthy feature of the Syrian revolution has been its use of YouTube. There have been many videos (see right-hand image) posted from the conflict detailing the ongoing violence occurring in Homs, Hama and other cities. The ability to display to the world the conflict occurring in the country, with foreign reporting largely banned, has been extremely important.
As you can see, this is a somewhat accurate mock-up of the pro-revolution Syrian channels that sprang up over the course of the uprising, the major difference being that the site was hosted on the server of a hacked British hosting company.
On visiting the malicious website, the users would be asked for their credentials in order to be able to post comments, and the site would inform the users that in order to view videos they would have to upgrade their Flash software. Naturally, this Flash software was malicious and installed the surveillance malware I mentioned earlier, allowing remote listening and viewing of activities via their computers.
This malware sent back the data to command and control domains inside Syrian IP space. And it’s worth noting actually that all the campaigns that have been documented so far have exfiltrated data into Syrian space, many of them to the same IP address. While this aspect of the campaign is not so stealthy, some of the social engineering employed has been quite compelling.This campaign (see right-hand image) featured malware which used the overwrite trick recently used by the Madi malware to masquerade as revolutionary plans for the formation of the High Council after the revolution. Naturally, these documents installed a remote access toolkit. However, they also displayed documents to the user, which were purportedly intriguing and enticing and likely to be passed about by activists interested in their veracity. Another campaign by the same actors pretended to be a Zero-Hour plan for the city of Aleppo (see left-hand image). Again, the purported documents installed the Trojan. However, they provided extensive documentation likely to be distributed by dissidents among their networks. Skype is used quite extensively by activists who distrust the country’s telecommunications infrastructure. At the beginning of May it was widely reported that Skype leaked your IP, and by extension could potentially allow the tracking of your physical location. Playing on the concern of dissidents, the same actors began distributing Skype encryption software (see left-hand image) which would allegedly alleviate this problem. Note that this software doesn’t actually encrypt phone calls. In addition to displaying a GUI with tragic abuse of Comic Sans, this installs the same surveillance malware. This malware was Darkcomet. This is a remote access toolkit that became associated with the Syrian revolution. Perhaps because of this the author of it announced a couple of weeks ago that he would stop producing and distributing it. At the similar time, although not necessarily because of this, we’ve seen these groups in Syria move to the use of Blackshades RAT. Since the demise of Darkcomet, we’ve seen three variants of Blackshades, and they were all used by someone not very inventive when it comes to naming. This group used alosh66 as a prefix for four of these CnC’s (see left-hand image). Distinguishing feature: predictable C2 domain naming convention. While they’ve been using Blackshades a lot recently – in fact, I saw a new sample of it on Monday, they’ve previously been using Darkcomet, and these people being the same actors who performed the fake YouTube attack that I mentioned earlier. As I mentioned before though, the heavy use of Darkcomet has been a feature of the pro-regime electronic actors in this region, particularly these guys (see left-hand image). Again, inventive name; I’m not sure whether this group is related to the one I just discussed, but these guys loved using the same C2 address. Early on they used the domain meroo.no-ip.org, which pointed to 220.127.116.11, which I mentioned because it was actually outed in the CNN article in February. But despite this and the shutdown of their domain, they continued to distribute malware which connected to this address for months.
So, they were responsible for the campaigns I mentioned earlier (see right-hand image), involving the fake revolutionary documents, the fake Skype encryption, applications, the Zero-Hour plan for Aleppo, and many more.
Read previous: CuteCats.exe and the Arab Spring: Governments vs Dissidents