Groups of attackers have targeted activists on both sides of the Syrian civil war with a new malware campaign that, while not particularly sophisticated, has grown to compromise more than 10,000 systems, according to researchers from Kaspersky Labs, which analyzed more than 100 files used by group.
The attackers have sent messages through social networks, such as Skype, YouTube and Facebook, as well as phishing emails that include links to fake security and privacy programs that claim to help the recipient communicate securely. Most of the actual malware tools uploaded to victims’ computers appear to be common programs found in underground forums, according to the analysis by Kaspersky.
The security firm did not speculate on the aims of the groups, but stressed that the region’s conflicts have naturally spread to the digital realm.
“If you look at the real world context for all of this, you have a real melting pot going on out there across the Middle East,” David Emm, a senior security researcher for Kaspersky, told eWEEK. “Therefore you have governments and opposition groups, each using cyber as an element in their arsenal.”
The civil war in Syria—a conflict in which other nation-states in the region have played a role—has resulted in a significant increase in online operations by hacktivists opposing, and proponents supporting, the government of President Bashar al-Assad.
The Syrian Electronic Army—a group supported by, if not funded by—Assad’s regime, has attacked technology companies, financial firms and media outlets, posting pro-Assad propaganda. In some cases, Syria’s network has dropped off the Internet.
The latest attacks began with simple remote access trojans (RATs) being used to compromise systems. Since late in 2013, however, the group has used more sophisticated social-engineering techniques to entice downloads, wrapping malicious programs in seemingly useful applications to convince a user to run the software.
Lures for the social engineering include a leaked paper on chemical weapon attacks, security applications that are actually Trojan horses and videos that purportedly show the impact of recent bombings.
Once infected, a victim’s computer will connect to a command-and-control server. The malware can log keystrokes from the victim’s computers, capture screenshots, record sound and video, install addition programs and upload stolen data. The attacks have grown more numerous, from less than 5 per quarter in the first half of 2013 to more than 35 new malware attacks in the second quarter of 2014, according to Kaspersky.
The activists targeted by the attackers have apparently struck back at the infrastructure used to gather data on them, targeting known command-and-control servers with distributed denial-of-servce (DDoS) attacks, according to Kaspersky’s report.
“It is worth noting that we have seen evidence of activists trying to carry out denial-of-service attacks on the RAT domains and servers, in an effort to overwhelm their resources and cause their connections to timeout,” the analysis stated.
The three groups conducting the attacks appear to be pro-Assad hackers. While Kaspersky did not attribute the attacks to any particular group, they did find the names used by the attackers: “Team Hacker and Assad Penetrations Unit,” “Anonymous Syria Al Assad Unit,” and the “Management of Electronic Monitoring and Central Tracking Unit.”
While companies are not explicitly the targets of this latest Middle East malware campaign, businesses still need to keep an eye on the events in the region, Kaspersky’s Emm said.
“The world is a pretty small place anyway, but when it comes to the reach of the Internet, everyone is our neighbor,” he said. “With some of these very targeted attacks, there is the risk of collateral damage; there is the danger of unintended damage from these conflicts leaking online.”