The geopolitical conflicts of the Middle East have deepened in the last few years, particularly in relation to Syria. The cyberspace conflict there is intensifying as sides try to tip the struggle in their favour by exploiting cyber intelligence and making use of obfuscation techniques.
Kaspersky Lab’s latest threat research around this issue has unveiled a whole range of malware which uses a variety of techniques, including sophisticated social engineering tricks.
The last few years have thrown cyber attacks in Syria to the fore, with lots of activity in cyberspace linked to the country. The Syrian Electronic Army, a group of computer hackers, has been linked to attacks on high-profile organisations, including many media resources. Malware was distributed on social networking sites to gain control of systems and steal credentials; a Flash 0day (CVE-2014-0515) was found on a number of Syrian sites that had been attacked months earlier; and the DarkComet RAT developer retired the popular tool after reports of it being used extensively in Syria.
Kaspersky Lab’s research shows that cybercriminals are exploiting the situation in the region to create a multitude of malware capable of accessing users’ data. The malware is disguised in different ways, including fake antivirus scanners, social messaging apps, Trojan-embedded legitimate system utilities, and downloads in social networks and free public file-sharing services.
In the samples analysed, the cybercriminals usually attempted to achieve complete system monitoring with the help of the infamous remote administration tool (RAT) Dark Comet, which not only sends every key stroke almost instantly to a remote server but also leaves the infected system vulnerable to exploit by the attackers. The use of high-level programming languages means the malware writers can easily modify their creations, making it possible to test new malicious campaigns with minimal effort and to craft targeted attacks in no time. Syrian malware has also been evolving, and shows no sign of abating any time soon.
Understanding the trap
Syrian malware relies heavily on social engineering and the active development of more technologically complex malicious variants in order to achieve rapid propagation and infection. Even though new malicious samples appear every day, users should have an understanding of these techniques and tools currently being used to target users.
In Kaspersky Lab’s research, more than 80 malware samples used to attack Syrian citizens and Middle East users were collected. Although most of these were already known, cybercriminals rely on a wide range of obfuscation tools and techniques in order to change the malware structure and bypass signature detection. This proves how critical heuristic technologies are when it comes to protecting against these types of attacks.
Ghareeb Saad, a senior security researcher at Kaspersky Lab’s Global Research & Analysis Team, warns that “a combination of factors – social engineering, rapid app development and remote administration tools for taking over the victim’s entire system – creates a worrying scenario for unsuspecting users. We expect attacks by Syrian malware to continue and evolve both in quality and quantity.”