October 26, 2016

Hacked Skype accounts used to spread Trojan that spies on Syrian activists

(Credit: EFF)

A new remote access trojan (RAT), known as BlackShades, has been found targeting Syrian activists. The Trojan which is being distributed via instant messages from within hacked Skype accounts contains surveillance capabilities which are being used to spy on anti-regime activists in Syria.

According to the Electronic Frontier Foundation, BlackShades is part of an ongoing campaign which uses social engineering to install surveillance software to spy on Syrian opposition activists. The campaign also includes a numerous phishing attacks which attempt to steal YouTube and Facebook login information.

Previous attacks installed versions of the remote access tool, DarkComet RAT, which the EFF says send information back to an IP address in Syria. The Blackshadres RAT, used in the latest attacks, has keystroke logging and remote screenshots capabilites. The malware is distributed via Skype as a “.pif” file.

The conversation show in the picture shows the compromised Skype account of an officer of the Free Syrian Army. The sender claims that the link is for an important new video but in fact is the Trojan. Later friend of the officer asked if his account was safe but he replied that his account had been compromised.

“EFF urges Syrian activists to be especially cautious when downloading files over the internet, even in links that are purportedly sent by friends,” EFF’s Eva Galperin and Morgan Marquis-Boire wrote. “As members of the Syrian opposition become more savvy in using encryption, satellite networks, and other tools to evade the Assad regime’s extensive internet surveillance capabilities, pro-Syrian-government malware campaigns have increased in frequency and sophistication.”

A more detailed analysis of the Trojan can be found here.