The geopolitical conflicts of the Middle East have deepened in the last few years, particularly in Syria. The cyberspace conflict there is intensifying as sides try to tip the struggle in their favor by exploiting cyber intelligence and making use of obfuscation. Kaspersky Lab’s latest threat research has unveiled a whole range of malware related to Syria, using a variety of techniques including sophisticated social engineering tricks. Even though new malicious samples appear every day, users should have an understanding of these techniques and tools currently being used to target users in the Middle East and especially Syrian citizens.
“A combination of factors – social engineering, rapid app development and remote administration tools for taking over the victim’s entire system – creates a worrying scenario for unsuspecting users. We expect attacks by Syrian malware to continue and evolve both in quality and quantity. Therefore, users should be especially careful of suspicious links, double check their download and have a reliable and comprehensive security solution installed,” said Ghareeb Saad, Senior Security Researcher, Global Research & Analysis Team at Kaspersky Lab.
The last few years have thrown cyber attacks in Syria to the fore, with lots of activity in cyberspace linked to the country. The Syrian Electronic Army, a group of computer hackers, has been linked to attacks on high-profile organizations, including many media resources. Malware was distributed on social networking sites to gain control of systems and steal credentials, a Flash 0day (CVE-2014-0515) was found on a number of Syrian sites that had been attacked months earlier, and the DarkComet RAT developer retired the popular tool after reports of it being used extensively in Syria.
Kaspersky Lab’s research shows that cybercriminals are exploiting the situation in the region to create a multitude of malware capable of accessing users’ data. Syrian malware relies heavily on social engineering and leveraging trust in order to achieve rapid propagation and infection. The malware is disguised in different ways, including fake antivirus scanners, social messaging apps, Trojan-embedded legitimate system utilities, downloads in social networks and free public file-sharing services.
In the samples analysed, the cybercriminals usually attempted to achieve complete system monitoring with the help of the infamous remote administration tool (RAT) Dark Comet, which not only sends every key stroke almost instantly to a remote server but also leaves the infected system vulnerable to exploit by the attackers. The use of high-level programming languages means the malware writers can easily modify their creations, making it possible to test new malicious campaigns with minimal effort and to craft targeted attacks in no time. Syrian malware has also been evolving, and shows no sign of abating any time soon.
Cybercriminals make widespread use of disturbing videos to grab users’ attention and spread malware. One example of this was a video showing the injured victims of a recent bombing that was used to strike fear into viewers and make them download a malicious app from a public file sharing website. The file proved to be heavily obfuscated with the commercial utility “MaxToCode” in order to avoid early detection by antivirus solutions. After execution, however, another executable file was created that communicates with the remote access tool. The Trojan in this case is used to disable parts of the security setup, save all the key strokes and system information, and resend it when an Internet connection is made.
Among the malware samples reviewed by Kaspersky Lab was a compressed set of files found in a popular social networking site that allegedly listed activists and wanted individuals in Syria. The download link for the database application was included in the information section of a video, and redirected users to a file sharing service where the file was hosted. The compressed RAR file contained malicious software with a remote administration tool used by the cybercriminals.
Fake applications including fake ant viruses are popular among cybercriminals. Calculators, game loaders, and more, are used to spread malware. One such example is “Ammazon Internet Security” – a malicious application that tries to mimic a security scanner. Analysis of the code revealed a lot of functionality linked to user interface, but no real security features. With nothing more than a couple of buttons and a catchy name, the Syrian malware groups are hoping the intended victims will fall into their trap. The silent execution of a remote administration tool while the “security suite” is launched leaves the victims’ computers with no protection and an RAT installed.
Instant messaging applications for desktop operating systems are among the tools used to spread malicious programs and Syrian malware authors take advantage of these as well. In contrast to “Ammazon Internet Security”, these samples don’t have a graphical user interface or even a message warning the user to worry about their security; they move directly to infect the system.
The research showed that even legitimate applications are being used with embedded malware to spy on Syrian citizens. Offering security applications that protect against surveillance is one of the many techniques used by malware writing groups to get users desperate for privacy to execute these dubious programs. One example is a version of the Total Network Monitor software modified by cybercriminals to dump system information while hiding all malicious activity until the “legitimate” tool is completely installed.
Understanding the trap
Syrian malware relies heavily on social engineering and the active development of more technologically complex malicious variants. Nevertheless, most of them quickly reveal their true nature when inspected closely and that’s one of the main reasons for urging Syrian users to double check the source of their downloads and to implement a layered defence approach. Having an up-to-date, genuine antivirus and firewall should be the first measure implemented by users who perform any type of online activity, especially during these uncertain times when new cyber threats are appearing almost daily.
Antivirus software utilizes either signature or heuristic-based detection to identify malware. Signature detection involves a search for a unique sequence of bytes that is specific to a piece of malicious code, while heuristic detection identifies malware based on program behaviour. In Kaspersky Lab’s research more than 80 malware samples used to attack Syrian citizens and Middle East users were collected. Although most of these were already known, cybercriminals rely on a wide range of obfuscation tools and techniques in order to change the malware structure and bypass signature detection. This proves how critical heuristic technologies are when it comes to protecting against these types of attacks. Kaspersky Lab’s security solutions detected all the samples in the collection thanks to their ability to identify variants of known malware types or even new malware families.