New malware based attacks hit opponents in Syria and all over the world

Security Experts at Kaspersky Global Research & Analysis Team have discovered several malware based attacks targeting opponents of the Regime in Syria.

Malware is the most diffused cyber threat used by governments to track opponents and foreign governments, in the past security experts have already detected malicious codes targeting individuals oppose to the regime of Bashar al Assad.

A new report issued by the  Global Research & Analysis Team (GReAT)  Kaspersky Lab detected a series of targeted attacks malware based against opponents of the Syrian Government as the civil war in the country goes on.

“The Global Research & Analysis Team (GReAT) at Kaspersky Lab has discovered new malware attacks in Syria, using some techniques to hide and operate malware, in addition to proficient social engineering tricks to deliver malware by tricking and tempting victims to open and launch malicious files. The malware files were found on activist sites and social networking forums, some other files were also reported by local organizations like CyberArabs and Technicians for Freedom.” said a blog post published on SecureList 

Several strains of malware, mainly RATs (remote administration Trojans), were detected on websites and social media channels used by activist in Syria. Groups which approve the policy of President Assad are relying on social engineering to spread malicious code and infect opponents’ PCs according to Kaspersky Lab researchers.

As explained by the researchers the attackers are becoming more organized and the attacks even more complex.

“The threat actors are becoming more organized, the number of attacks is increasing and the samples being used are becoming more sophisticated, while also relying extensively on powerful social engineering tricks that many people fall for.” states the report.

The attackers used to deceive victims with fake documents containing the names of individuals wanted by the regime or the clues of chemical weapons usage made by the Syrian Regime. Unfortunately the documents are infected with RATs to control computers of victims.

Bad actors behind the campaign also used videos published on Youtube related to the civil war in Syria, the videos also encourage users to download fake, trojanized versions of popular application like WhatsApp and Viber.

The experts have detected 110 distinct malicious files, 20 domains and 47 IP addresses associated with the campaign which hit opponents in Syria.

The attackers infect victims’ machine to steal various data, including login credentials to web services like social networks and communication channels like Skype, the access to those systems gives to the bad actors a further possibility to spread the malware. Interesting to note that the attackers always propose to victims security tools for their protection, in reality they deploy application compromised with RATs.

“Total Network Monitor (which is a legitimate application) is inside another sample found, being used with embedded malware for spying purposes”“Offering security applications to protect against surveillance is one of the many techniques used by malware writing groups to get users desperate for privacy to execute these dubious programs.” the researchers write. 

Victims of the hacking campaign are mainly based in Syria, but experts also uncovered attacks on individuals outside the country:

1. Turkey
2. Saudi Arabia
3. Lebanon
4. Palestine
5. United Arab Emirates
6. Israel
7. Morocco
8. France
9. United States

Which is the efficiency of the cyber attacks?

According the researchers at Kaspersky, the number of victims could be greater than 10,00o, for sure the malware detected in the investigation has been downloaded more than 2,000 times.

Give a  look to the full report.

Pierluigi Paganini

(Security Affairs – Syria, RAT)