Second Pro-Government Hacking Group ‘Syrian Malware Team’ Uncovered

Security researchers have spotted what they believe to be a second pro-al Assad hacking group, dubbed the Syrian Malware Team, using a .NET RAT to attack targets.

FireEye threat intelligence bods Kyle Wilhoit and Thoufique Haq wrote in a blog post that the group has been active at least as far back as early 2011 and appears to still be active, posting to its official Facebook page as recently as July 16 this year.

“The Syrian Malware Team is largely pro-Syrian government, as seen in one of their banners featuring Syrian President Bashar al-Assad. Based on the sentiments publicly expressed by this group it is likely that they are either directly or indirectly involved with the Syrian government,” the duo wrote.

“Further certain members of the Syrian Malware Team have ties to the Syrian Electronic army (SEA) known to be linked to the Syrian government. This indicates that the Syrian Malware Team may also be possibly an offshoot or part of the SEA.”

The group’s members, which FireEye tracked on Facebook posting “malware-related items,” profile targets and orchestrate attacks, the vendor said.

They have also been observed using version 2.1 of the BlackWorm RAT, called “Dark Edition.”

BlackWorm was apparently co-authored by Kuwaiti Naser Al Mutairi (“njq8”) and “Black Mafia” and then enhanced by another malware author, “Black.Hacker.”

“BlackWorm v2.1 has the same abilities as the original version and additional functionality, including bypassing UAC, disabling host firewalls and spreading over network shares,” said FireEye.

“Unlike its predecessor, it also allows for granular control of the features available within the RAT. These additional controls allow the RAT user to enable and disable features as needed. Binary output can be also be generated in multiple formats, such as .exe, .src and .dll.”

After analyzing samples of Dark Edition BlackWorm, Wilhoit and Haq found the strings “Syrian Malware” or “Syrian Malware Team” often used in C&C comms or inside the binary strings.

This intelligence was used to link the group to multiple additional malware runs, FireEye said.

The Syrian Malware Team appears to have operated for some time in the region under the radar while its more famous counterpart the Syrian Electronic Army made headlines around the world with high profile hacks including those targeting the Twitter accounts of AP, The Onion and ITV News.

What’s Hot on Infosecurity Magazine?