Security researchers have uncovered a major new attack campaign designed to covertly steal military and political intelligence which could be used to gain a battlefield advantage against the Syrian ‘rebel’ armies.
FireEye explained in a new report, Behind the Syrian Conflict’s Digital Front Lines, that the attackers would typically hide behind a female online avatar, striking up a conversation with their targets on Skype.
Unusually, the ‘women’ would ask the victim what device they were using, most likely in order to determine what type of malware to deliver.
A private photo of the ‘woman’ would then be sent to the victim.
The report continued:
“The avatar’s ‘photo’ was actually an executable file (a self-extracting RAR archive) renamed with the .pif file extension. When the victim “opened” the photo, a woman’s picture was displayed while the SFXRAR executed and ultimately installed the DarkComet RAT in the background. From this point on, the victim’s computer was under the threat group’s control.”
The group stole over 7GB of data in total during the campaign, which ran roughly from November 2013 to January 2014. This included over 31,000 Skype conversations, 64 Skype account databases, and more than 240,000 messages.
The information the attackers were mainly after appears to be battlefield-related, political, or that relating to humanitarian activities, refugees and even media releases. The common thread is that all the info would give pro-Assad forces an advantage, FireEye said.
Victims included those linked to anti-Assad resistance groups such as the Free Syrian Army, humanitarian workers and activists. Although many were located in Syria, multiple victims were located in neighboring regions such as Lebanon, Jordan and Turkey, the report claimed.
Skype was not the only threat vector. The attackers also maintained a Facebook profile of the same female avatar, containing pro-opposition content loaded with malicious links.
FireEye continued:
“The malware that the Skype avatars and social media profiles encouraged their victims to download shared the same host server as malware distributed through a website (80.241.223.128) purporting to be supportive of the Syrian opposition. The threat actors used this website to target opposition members interested in news about the conflict.”
It’s also likely that the attackers were able to steal a large amount of data by infecting a relatively small number of machines as the victims frequently shared computers thanks to patchy satellite internet.
Unlike previous cyber-attacks against anti-Assad groups, this one uses a multi-stage dropper to deploy the DarkComet RAT, and also uses Android malware.
There’s no firm evidence linking the attackers to the Assad regime. However, the group “is capable of acquiring and using a diverse malware arsenal” and may be located outside of Syria – as its C&C servers were, FireEye concluded.