January 17, 2018

Syrian Malware :Team Disguises Downloads to Take Over PCs

In a recent blog post by network security vendor, FireEye, the company reported that hacker group Syrian Malware Team (SMT) has released an updated version of the BlackWorm designed to infiltrate western news organizations and sites known to be frequented by anti-Syria activists [ Read: How the Syrian Electronic Army Hacked Forbes ].

The BlackWorm variant is a category of virus called remote access trojan (RAT) and is designed to obtain control over remote systems allowing hackers access to the file systems, computer control and even the ability to damage the hardware by over-clocking. Read: Virtualization Security Tips: Preventing Hyper Jumping

"BlackWorm v2.1 has the same abilities as the original version and additional functionality, including bypassing User Account Control (UAC), disabling host firewalls and spreading over network shares. Unlike its predecessor, it also allows for granular control of the features available within the RAT. These additional controls allow the RAT user to enable and disable features as needed," Wilhoit and Haq write.

One common method the group is using to hide the malware is to use a cleverly disguised GUI tagged with popular vendor names to catch non-technical people into clicking on the links to install the malicious payload. The SMT is targeting popular social media sites and chat services used by anti-Syria activists including Facebook and YouTube. The malware links are disguised as popular applications such as WhatsApp or Viber in the comments of the feeds to target these activists.

SMT also uses social engineering in posting comments on social media sites using keywords such as "scandals" and "shocking disturbing" to attract people to click the links. While most of the downloads can be identified by up to date antivirus applications, the sophistication and structure of the virus download methods shows advanced manipulation designed to avoid detection.

While malware and hacking are not unique, the targets, methods and sponsorship of this latest BlackWorm variant is. According to FireEye, the SMT does not appear to have a direct connection to the Syrian government even though it is pro-Syria; however the group does appear to have ties to the Syrian Electronic Army entity whose place in the Syrian government structure has not been officially identified. While the Syrian Electronic Army has been largely public about its efforts in the hacking community, including hacks on the Twitter accounts of Reuters and Associated Press, as well as redirects of websites for the New York Post and CNN, the SMT has been largely unknown until now.
Share This
Previous Post
Next Post

This Post was publish by the above Author