Cybercriminals are exploiting the Syrian civil war to create and distribute malware that can access computer users? data, Kaspersky Lab said.
Syrian malware relies heavily on social engineering and leveraging trust in order to achieve rapid propagation and infection, the anti-virus and Internet security software company said in a statement.
The malware is disguised in different ways, including fake antivirus scanners, social messaging apps, Trojan-embedded legitimate system utilities, downloads in social networks and free public file-sharing services.
Malware was distributed on social networking sites to gain control of systems and steal credentials, a Flash 0day (CVE-2014-0515) was found on a number of Syrian sites that had been attacked months earlier, and the DarkComet RAT developer retired the popular tool after reports of it being used extensively in Syria.
In the samples analyzed, the cybercriminals usually attempted to achieve complete system monitoring with the help of the infamous remote administration tool (RAT) Dark Comet, which not only sends every key stroke almost instantly to a remote server but also leaves the infected system vulnerable to exploit by the attackers.
The use of high-level programming languages means the malware writers can easily modify their creations, making it possible to test new malicious campaigns with minimal effort and to craft targeted attacks in no time. Syrian malware has also been evolving, and shows no sign of abating any time soon.
Cybercriminals make widespread use of disturbing videos to grab users? attention and spread malware.
One example of this was a video showing the injured victims of a recent bombing that was used to strike fear into viewers and make them download a malicious app from a public file sharing website.
The file proved to be heavily obfuscated with the commercial utility ?MaxToCode? in order to avoid early detection by antivirus solutions.
After execution, however, another executable file was created that communicates with the remote access tool.
The Trojan in this case is used to disable parts of the security setup, save all the key strokes and system information, and resend it when an Internet connection is made.
Among the malware samples reviewed by Kaspersky Lab was a compressed set of files found in a popular social networking site that allegedly listed activists and wanted individuals in Syria.
The download link for the database application was included in the information section of a video, and redirected users to a file sharing service where the file was hosted. The compressed RAR file contained malicious software with a remote administration tool used by the cybercriminals.
Fake applications including fake antiviruses are popular among cybercriminals. Calculators, game loaders, and more, are used to spread malware.
One such example is ?Ammazon Internet Security? ? a malicious application that tries to mimic a security scanner.
Analysis of the code revealed a lot of functionality linked to user interface, but no real security features. With nothing more than a couple of buttons and a catchy name, the Syrian malware groups are hoping the intended victims will fall into their trap.
The silent execution of a remote administration tool while the ?security suite? is launched leaves the victims? computers with no protection and an RAT installed.
Instant messaging applications for desktop operating systems are among the tools used to spread malicious programs and Syrian malware authors take advantage of these as well.
In contrast to ?Ammazon Internet Security?, these samples don?t have a graphical user interface or even a message warning the user to worry about their security, they move directly to infect the system.
The research showed that even legitimate applications are being used with embedded malware to spy on Syrian citizens.
Offering security applications that protect against surveillance is one of the many techniques used by malware writing groups to get users desperate for privacy to execute these dubious programs.
One example is a version of the Total Network Monitor software modified by cybercriminals to dump system information while hiding all malicious activity until the ?legitimate? tool is completely installed.
Understanding the trap
Syrian malware relies heavily on social engineering and the active development of more technologically complex malicious variants.
Nevertheless, most of them quickly reveal their true nature when inspected closely and that?s one of the main reasons for urging Syrian users to double check the source of their downloads and to implement a layered defense approach.
Having an up-to-date, genuine antivirus and firewall should be the first measure implemented by users who perform any type of online activity, especially during these uncertain times when new cyber threats are appearing almost daily.
Antivirus software utilizes either signature or heuristic-based detection to identify malware.
Signature detection involves a search for a unique sequence of bytes that is specific to a piece of malicious code, while heuristic detection identifies malware based on program behavior.
In Kaspersky Lab?s research more than 80 malware samples used to attack Syrian citizens and Middle East users were collected.
Although most of these were already known, cybercriminals rely on a wide range of obfuscation tools and techniques in order to change the malware structure and bypass signature detection.
This proves how critical heuristic technologies are when it comes to protecting against these types of attacks. Kaspersky Lab?s security solutions detected all the samples in the collection thanks to their ability to identify variants of known malware types or even new malware families.