Syrian Government Supporters Target Journalists, NGOs and Opposition with Malware

Malicious Facebook posts used to distribute RAT

Morgan Marquis-Boire and John Scott-Railton, both researchers at Citizen Lab, and Eva Galperin of the Electronic Frontier Foundation (EFF) have published a new paper on the malware attacks launched by the supporters of the Syrian government against the opposition, journalists and NGO workers.

The paper focuses on four cyber operations. One of them involves the Facebook page of the pro-opposition Revolution Youth Coalition on the Syrian Coast group

Cybercriminals have compromised the group’s Facebook page and started publishing messages that urged users to visit a website in order to download content related to the killing of Abu Basir al-Adkani.

The links didn’t point to any of the promised content, but to a malicious website set up to serve a remote access tool (RAT) dubbed njRAT or Bladakindi. The threat allows attackers to spy on victims and take control of their computers.

Several people have caught on to the scheme and started posting warning messages on the Revolution Youth Coalition on the Syrian Coast Facebook page. However, since the attackers controlled it, they kept deleting the warnings.

Another campaign analyzed by experts relied on emails with the subject line “Serious video – It shows the malice of al-Assad’s military.” One of the messages was sent to the administrator of an NGO in early October.

The link from the emails does point to a video file. However, when the video is opened, in the background, a malicious file is dropped. This element has been identified as Xtreme RAT.

The third campaign involves YouTube videos. Their description section contains links that point to malicious files hosted on Dropbox. The malware is disguised as a utility called “anti Skype bot.”

Finally, experts have analyzed the Mac OS X Trojan OSX/Leverage.A that downloads an image of the Syrian Electronic Army’s logo. The SEA has denied having anything to do with it and experts say that it’s unlikely that it is connected to the other campaigns they’ve analyzed.

Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns” is available on the EFF’s website.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s