A new nasty piece of malware is now being used in the ongoing conflict in Syria, with the ability to take over an infected computer or steal documents from it.
Photo credit: http://wideshut.co.uk
Computer security firm Trend Micro cited reports that the malware, dubbed as DarkComet, is being used against supporters of the Syrian opposition movement.
“The malware used in the attacks reportedly spreads through Skype chats. Once users execute the malware, it connects to a (command and control) server in Syria … which belongs to an IP range assigned to the Syrian Telecommunications Establishment,” Trend Micro said in a blog post.
It noted this could be a response to the opposition’s increasing use of platforms such as Facebook to organize and spread their message.
Other supporters of the regime like the “Syrian Electronic Army” had sought to disrupt the opposition’s activities by defacing websites and spamming Facebook pages.
Trend Micro said DarkComet is considered a widely available Remote Access Trojan (RAT).
It said DarkComet is a full-featured RAT that has the ability to take pictures via webcam, listen in on conversations via a microphone attached to a PC, and gain full control of the infected machine.
“But the features attracting most people using this RAT are the keylogging and file transfer functionality. This way, an attacker can load any files onto the infected machine or even steal documents,” it said.
Trend Micro said DarkComet, created by a coder using the handle DarkCoderSc, is still being developed and version 5 was released last January 15.
“Since the reports of its use in connection with events in Syria, the author of DarkComet has expressed regret and while he will continue developing the RAT, he plans to make a DarkComet detector/remover available to the Syrian people,” Trend Micro said.
Trend Micro said the malware bearing a Facebook icon was reportedly distributed through Skype chats.
One sample, which Trend Micro detects as BKDR_ZAPCHAST.SG, is DarkComet 5.
But another sample obtained by Trend Micro behaves differently, and involves an initial executable, which is detected by Trend Micro as BKDR_BREUT.A.
This drops two executable files, with the first file displayed to the compromised user as a Mac Address Changer tool.
But this appears to be a simple decoy because while this is displayed, the second executable then connects to a server and downloads another file.
“These developments illustrate that targeted attacks can be conducted with widely available DIY malware tools. These tools possess all the ‘complex’ functionality attackers need to compromise their targets,” Trend Micro said.