The use of remote surveillance software against activists has been a feature of the ongoing conflict in Syria. In February 2012, CNN reported that “Computer spyware is the newest weapon in the Syrian conflict”. Since then numerous electronic campaigns targeting Syrian activists have been observed. These have included: a phishing campaign involving the compromise of a high profile Syrian opposition figure; malware targeting activists by claiming to be documents regarding the foundation of a Syrian revolution leadership council; and, malware purporting to be a plan to assist the city of Aleppo.
The majority of these attacks have involved the use of Dark Comet RAT. Remote Administration Tools (RAT) provide the ability to remotely survey the electronic activities of a victim by keylogging, remote desktop viewing, webcam spying, audio-eavesdropping, data exfiltration, and more.
The use of Dark Comet in this conflict has been well documented. This RAT was the toolkit used in the malware reported on by CNN and also in the campaigns using fraudulent revolutionary documents.
Today, the EFF and Citizen Lab report on the use of a new toolkit by a previously observed attacker. This actor has been circulating malware which surreptitiously installs BlackShades RAT on victims machines. This RAT is a commercial tool which advertises the following:
“Blackshades Remote Controller also provides as an efficient way of turning your machine into a surveillance/spy-device or to spy on a specific system.”
It is being distributed via the compromised Skype accounts of Syrian activists in the form of a “.pif” file purporting to be an important new video.