Syrian Hackers Ramp Up RAT Attacks

Security researchers have uncovered evidence of escalating cyber attacks emanating from Syria which use tried and tested techniques to download remote access trojans (RATs) onto victim PCs.

Kaspersky Lab said the attacks are typically launched via social networking platforms, YouTube, email and Skype.

They often use social engineering techniques to trick the victim into downloading the malware.

This could be hidden in an email attachment supposedly detailing plans by the Assad regime to launch chemical attacks; fake Whatsapp and Viber apps; or fake anti-virus programs.

It seems that the attackers are trying to exploit users’ fear of government surveillance in the war torn state, by creating Skype messages and Facebook posts warning of cyber attacks which themselves include malicious links to the fake AV downloads.

So far the main targets appear to be activist groups and normal citizens of Syria, although victims have been reported in several other countries in the Middle East plus France, the US, Morocco and Turkey.

“The attackers' command and control centers were tracked to IP addresses in Syria, Russia, Lebanon, the US and Brazil,” the report noted.

“We believe the number of victims exceeds 10,000, with some of the files being downloaded more than 2000 times. The attackers' malware samples and variations have increased dramatically from only a few in Q1 2013 to around 40 in Q2 2014.”

The RAT malware itself is capable of fully compromising victim machines, enabling the attackers to remotely turn on the camera and microphone to snoop on users.

Kaspersky Lab declined to speculate as to the identity of the attackers, but there appear to be three groups involved.

These are “Team Hacker and Assad Penetrations Unit”; “Anonymous Syria Al Assad Unit”; and “Management of Electronic Monitoring and Central Tracking Unit”.

The Middle East and North Africa (MENA) region has amongst the highest rates of RAT attacks in the world, with Algeria topping the list from 2013-2014, the report said.

"We expect these attacks to continue and evolve both in quality and quantity. We expect the attackers to start using more advanced techniques to distribute their malware, using malicious documents or drive-by download exploits,” it concluded.

“With enough funding and motivation they might also be able to get access to zero day vulnerabilities, which will make their attacks more effective and allow them to target more sensitive or high profile victims.”

With enough funding and motivation they might also be able to get access to zero day vulnerabilities, which will make their attacks more effectiveKaspersky Lab

What’s Hot on Infosecurity Magazine?