Pro-Assad Hackers Used Female Avatars To Steal Data From Syrian Opposition

It has been found by researchers that a hacking operation has been conducted targeting military intelligence so as to collect it for Pro-Assad parties in the Syrian conflict.

FireEye, a security firm, released on Monday a report (PDF) telling in detail about the threat group which finally stole a cache of sensitive data which contained documents and more than 31,000 logged Skype chat sessions in which some revealed tactical battle plans against Syrian President Bashar al-Assad’s forces. It was between November 2013 and January 2014 that saw the group’s data exfiltration efforts where the victims ranged from armed opposition members to humanitarian aid workers and media activists in and outside of Syria, FireEye reported.

Malware was distributed to the hackers’ targets through some kind of social engineering. This was revealed through a report called “Behind the Syrian Conflict’s Digital Front Lines”.

At some point in the conversation, the targets were tempted to open personal photos of apparently beautiful and sympathetic women that were actually malware, shown using female Skype avatars by the attackers.

It was noted by the report that attackers frequently asked the victims whether they were on their computers or mobile devices and then sent the malware accordingly. FireEye researchers observed this threat group aiming against the Syrian opposition with Android malware for the first time according to the report.

The DarkComet remote access Trojan (RAT) and a customized keylogger were among the cruel tools that formed the collection of the threat group’s arsenal.

It was further explained in a Monday review with SCMagazine.com by Nart Villeneuve, a researcher and co-author of the threat report, that the attackers injected DarkComet into the memory of machines by covering it [RAT] up in another piece of software.

Villeneuve also said that the custom dropper used to install DarkComet was never seen by researchers to have been used by any other Syrian related malware groups.

The report, on further scrutiny by FireEye, revealed that the threat group was conveniently capable of attaining huge collections of data through breaking into only a small number of systems as the opposition shared computers for accessing satellite-based internet. Although it was tough to analyze the exact number of victims in the campaign, it was estimated by Villeneuve to be perhaps 28 computers that were compromised by the threat group leaving 64 Skype databases vulnerable to attackers which was due to the fact that multiple people used the same computers.

In the interview, Villeneuve told that the attackers also exfiltrated documents like Excel sheets and photos.

Finally, the report emphasized the fact that the campaign was something more than just a cyberespionage directed towards achieving an edge over information or a strategic goal.

In contrast, the report said that the threat gives way to actionable military intelligence to be used for an immediate battlefield advantage in the midst of the conflict taking place. The report went on by adding that this “tactical edge comes with a potentially devastating human cost”. Attackers have got military-related data trapped that includes information about military hardware and positions of

fighting groups along with the fighters’ names and weapon systems, lists of refuges aid recipients and casualties, records for humanitarian efforts and funding, and political strategy and military planning communications.

Researchers gave a detailed explanation in appendix A of the report about the malware used in the campaign along with the Android backdoors that the attackers used with a keylogger named ONESIZE and BLACKSTAR – a custom dropper for DarkComet.

During the research of the malicious activity tracked back to the threat group, there were many instances to be found where Lebanon was referred, FireEye reported. This reference also included a user in the country who uploaded test versions of the malware that was executed in the campaign. Also, hackers who used social engineering ploys said in chats that they belonged to Lebanon.

The report also stated that social media pages suggest that either it is the refugees in the country being represented as female avatars or it is the Lebanese themselves.


Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.