A new report from FireEye has revealed that Syrian hackers have obtained data from their opposition via Skype and Facebook by posing as women.
As a reaction, Andy Manoske, senior product manager, AlienVault, has provided the following detailed comment on the malware involved and this type of attack:
“This is actually just another episode in a long-running campaign of surveillance by the Syrian government and other groups affiliated with them. The advantage of using Skype is that Skype provides the ability to easily send files from "within" a conversation. It's also very popular internationally for communicating, and naturally cross-platform.
“For the past two years, variants of these "femme fatale" attacks have been targeting members of various opposition groups to the Assad regime. For example, the Assad-leaning Syrian Electronic Army (SEA) was tied to a similar series of attacks in 2012. These attacks are different however, owing to the fact that SEA and similar attacks were launched in peacetime to help aid government efforts to target and arrest opposition members. This generation of attacks focuses on warfighters as well and are likely using espionage to help derive tactical intelligence for the government in the Syrian Civil War.
“Like any intelligent attacker performing a targeted attack, the attackers targeting rebel warfighters are going to use their knowledge of their marks to maximise the probability that their subterfuge works. They're not going to use a celebrity woman because if the target recognises the celebrity, it's likely that the target will become suspicious (e.g: "why is Taylor Swift messaging me?") This is similarly true for foreign women, who would arouse suspicion for having little/no personal investment or interest in the conflict as well as be extremely unlikely to know the target. Using pictures of Muslim women adds credibility to the message and the intent.
“The malware deployed on the system - as stated in the report - is a version of the DarkComet RAT. This confirms the findings of DarkComet's creator, Jean-Pierre Lesueur, who discontinued development of the tool in 2012 after he discovered the Syrian government was using DarkComet for exactly this purpose. The original purpose of DarkComet, much like Metasploit, is not malicious by design. DarkComet was intended by its creator to be used for legitimate system administration. In fact, the fact that DarkComet was being used by Syrian government officials in 2012 is the primary reason why its creator discontinued development. Intentions aside, DarkComet is frequently used as a Trojan due to its obfuscation features (e.g.: hiding its installation and activity on a system).
“DarkComet isn't really malware in the sense that it's a penetration testing tool like Metasploit. But it can be used maliciously, such as in this context or in its popular misuse as a means of looking through infected users' laptop webcams or otherwise covertly monitoring targets' online activity.
“Despite no longer being supported or actively developed, DarkComet remains a very popular RAT. Over 70k+ copies of DarkComet were downloaded from Lesueur's website and copies/variants of DarkComet actively float around BitTorrent, Tor, and various security forums.”