<<<
Thursday, May 3, 2012
>>>
 
Targeted Attacks in Syria Posted by Mikko @ 12:19 GMT

Syria has been the center of much international attention lately. There's unrest in the country and the authoritarian government is using brutal tactics against dissidents. These tactics include using technology surveillance, trojans and backdoors.

Some time ago we received a hard drive via a contact. The drive had an image of the system of a Syrian activist who had been targeted by the local authorities.

Syria

The activist's system had become infected as a result of a Skype chat. The chat request came from a fellow activist. The problem was that the fellow activist had already been arrested and could not have started the chat.

Initial infection occurred when the activist accepted a file called MACAddressChanger.exe over the chat. This utility was supposed to change the hardware MAC address of the system in order to bypass some monitoring tools. Instead, it dropped a file called silvia.exe which was a backdoor — a backdoor called "Xtreme RAT".

Xtreme Rat is a full-blown malicious Remote Access Tool.

Sold for 100 euro (Paypal) via a page hosted at Google Sites: https://sites.google.com/site/nxtremerat

Xtremerat

We have reasons to believe this infection wasn't just bad luck. We believe the activist's computer was specifically targeted. In any case, the backdoor calls home to the IP address 216.6.0.28. This IP block belongs to Syrian Arab Republic — STE (syrian Telecommunications Establishment).

This would not have been the first case of using trojans for such purposes in Syria, either.

See these references for similar cases in the past:

http://cnn.com/2012-02-17/tech/tech_web_computer-virus-syria_1_opposition-activists-computer-viruses-syrian-town

http://blogs.norman.com/2012/security-research/the-syrian-spyware

http://resources.infosecinstitute.com/darkcomet-analysis-syria/
(includes an interview with the author of another RAT used in similar attack)

SHA-1 hashes of the samples in question:

  •  2c938f4e85d53aa23e9af39085d1199e138618b6
  •  a07209729e6f93e80fb116f18f746aad4b7400c5






<<< Oxford Muses on Mac Flashback: Worst Outbreak Since Blaster
|
Yet Another SQL Injection Attack >>>