Syrian Malware Is On The Rise, Warns Kaspersky

The number of cyber attacks against Internet users in Syria is growing, with organised groups relying on increasingly sophisticated strains of malware to target media agencies, activists and dissidents, warns Russian security vendor Kaspersky Labs.

According to a report by Kaspersky’s Global Research & Analysis Team (GReAT), groups from both sides of the civil war are using advanced social engineering techniques, modifying legitimate apps and obfuscating their code in order to infect target machines with Remote Access Tools (RATs) such as the ‘Dark Comet’.

The company says people should be extra careful when they access online material that relates to the conflict.

Way back in 2012, F-Secure reported that the Syrian government had used social engineering and RATs to infect activist systems with surveillance tools.

Information warfare

While conducting the study, GReAT discovered 110 different malicious files used in attacks against targets in Syria and the region – a “dramatic” increase over the last year. The team believes that the number of victims exceeds 10,000, with some of these files being downloaded more than 2000 times.

RATs can give the attacker complete control over the target system – they can log every keystroke, activate microphone and webcam, steal any type of data as well as launch additional malicious apps. Such tools are being distributed in Syria through a variety of methods.

For example, GReAT found a RAT which is launched when users try to access the ‘National Security Program’, a fake application that allegedly holds the names of all the people wanted by the Syrian state. A link to another heavily obfuscated malware package was hiding in a description for a YouTube video showing disturbing images of the conflict.

Another method of getting a system compromised is through ‘Ammazon Internet Security’ (sic), a completely fake security application that seems to be modelled on Windows Defender, and leaves the victims’ computers with no protection and a RAT installed.

Malware can also piggyback on top of legitimate applications – for example, GReAT discovered an infected version of Total Network Monitor software, which is often used by activists to secure their communications and escape surveillance, and thus presents the perfect targeting mechanism. Repackaged apps for Smart Firewall, SSH VPN, and encrypted social networks WatsApp and Viber have also been spotted carrying malware.

Most of the attackers’ command and control centres were tracked to IP addresses in Syria, Russia, Lebanon, the US and Brazil.

“A combination of factors – social engineering, rapid app development and remote administration tools for taking over the victim’s entire system – creates a worrying scenario for unsuspecting users,” said Ghareeb Saad, senior security researcher at GReAT, Kaspersky Lab.

“We expect attacks by Syrian malware to continue and evolve both in quality and quantity. Therefore, users should be especially careful of suspicious links, double-check their downloads and have a reliable and comprehensive security solution installed.”

Can you look after your personal data online? Take our quiz!