The Internet has played a significant role in the current conflict in Syria. The opposition has made increasing use of platforms such as Facebook to organize and spread their message. In response, supporters of the regime like the “Syrian Electronic Army” have sought to disrupt these activities by defacing websites and spamming Facebook pages. Recently, this conflict took on a new dimension with reports that suggested targeted malware attacks were being used against supporters of the Syrian opposition movement.
Dark Comet RAT Used as “Syrian Spyware”
The malware used in the attacks reportedly spreads through Skype chats. Once users execute the malware, it connects to a C&C (command and control) server in Syria at {BLOCKED}.{BLOCKED}.0.28, which belongs to an IP range assigned to the Syrian Telecommunications Establishment. While the malware has been described as “complex” and “invisible”, it turns out that it is the widely available Remote Access Trojan (RAT) known as Dark Comet.
In our analysis, which confirms an earlier investigation by Telecomix, we found that the samples connecting to {BLOCKED}.{BLOCKED}.0.28 are instances of the DarkComet RAT versions 3.3 and 5. However, some samples are “downloaders” that connect to this same IP address via HTTP and download a encrypted “Update.bin” file, which is then decrypted and executed. The payload is the actual DarkComet RAT.
DarkComet is a full featured RAT that has the ability to take pictures via webcam, listen in on conversations via a microphone attached to a PC, and gain full control of the infected machine. But the features attracting most people using this RAT are the keylogging and file transfer functionality. This way, an attacker can load any files onto the infected machine or even steal documents.
DarkComet is still being developed and version 5 was released last January 15. It is created by a coder using the handle DarkCoderSc and was first coded in 2008. Since the reports of its use in connection with events in Syria, the author of DarkComet has expressed regret and while he will continue developing the RAT, he plans to make a DarkComet detector/remover available to the Syrian people.
Sample 1: Direct DarkComet download
The malware bearing a Facebook icon mentioned in the CNN article was reportedly distributed through Skype chats. This sample, which Trend Micro detects as BKDR_ZAPCHAST.SG, is DarkComet 5 and connects to {BLOCKED}.{BLOCKED}.0.28 on port 885. During our tests, we redirected the traffic from our test machine to another machine on which we were running the DarkComet 5 client. As you can see, we were able to obtain full control over our test machine.
Sample 2: DarkComet as second-stage malware
Another sample we have obtained behaves differently. The initial executable, which is detected by Trend Micro as BKDR_BREUT.A, drops two executable files. The first file is displayed to the compromised user as a Mac Address Changer tool.
This appears to be a simple decoy because while this is displayed, the second executable then connects to {BLOCKED}.6{BLOCKED}.0.28 over HTTP and downloads another file.
This is actually an earlier version of DarkComet (version 3.3), which connects to {BLOCKED}.{BLOCKED}.0.28 on port 778. Again, we redirected the network traffic from our test machine to another test machine running DarkComet 3.3 and we gained full control over the compromised machine.
To date, we have analyzed 10 samples that connect to the same IP address and display this type of functionality. While some are “downloaders” that display various decoy images (instead of the Mac Address Changer, see analysis of other samples here), the ultimate payload in these attacks is either DarkComet RAT version 3.3 or version 5.
These developments illustrate that targeted attacks can be conducted with widely available DIY malware tools. These tools possess all the “complex” functionality attackers need to compromise their targets.
