Syrian activists targeted with RATs

Mikko Hypponen at F-Secure has described the analysis of a hard disk image sent to his company by a ‘contact’ in Syria. It was found to contain a file called silvia.exe, which was actually the remote access tool (which is available commercially) otherwise known as Xtreme RAT. Such tools are valid remote control devices when installed openly, but backdoor trojans when installed covertly.

The infection occurred via standard social engineering. The activist received a Skype message from a trusted colleague offering a file called MACAddressChanger.exe. This, says Hypponen, “was supposed to change the hardware MAC address of the system in order to bypass some monitoring tools.” Instead, it installed the RAT which, on analysis by F-Secure, was found to report back to an IP address controlled by the Syrian Telecommunications Establishment (STE); a company, according to Wikipedia, "affiliated with the government of Syria."

The activist became suspicious, and contacted F-Secure, when he realized that the colleague in question had been under detention by the Syrian authorities at the time of the Skype message. But this is not the first example of such infections. On 5 March, the Electronic Frontier Foundation reported that it had seen reports “of a Trojan called Darkcomet RAT on computers belonging to Syrian activists which would capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more...” The author, Eva Galperin, added that, “Now we've seen reports of new malware, Xtreme RAT, which sends data back to the same address in Syrian IP space and whose release appears to predate the Darkcomet RAT Trojan.”

Galperin separately wrote, “It is worth pointing out that while the IP address that these attacks send their data to is located in Syrian IP space, that is far from proving that this is a Syrian government attack. EFF characterizes the people behind these malware campaigns as ‘pro-Syrian-government’ attackers.” However, a common precursor to the attacks is the arrest or detention of the activist that infects the colleague via social engineering.

Galperin’s report goes on to describe how difficult it is to cleanse a system that has been infected with a RAT. She gives a detailed guide on how to remove the basic file, but adds, “There is no guarantee that the attacker has not installed additional malicious software while in control of the machine... the safest course of action is to re-install the OS on your computer.”

What’s Hot on Infosecurity Magazine?