F-Secure recently received a hard drive image from a woman in Syria who suspected her computer had been compromised. The security firm analyzed the drive's contents and discovered evidence of a targeted attack that used a malicious Skype chat link to install a copy of the Xtreme remote access tool (RAT).
While this particular RAT tool is widely and commercially available online, it has not been linked to government attacks until now. Still, it's not uncommon for such infiltrations to use commodity malware, as it provides cover for governments; if you figure out you're infected, it will just look like a regular Trojan that might be used to steal banking information, not spy on you.
The typical scenario for such an attack is a chat session between opposition members. Regime supporters either masquerade as opposition members or actually use the accounts of opposition members who have been arrested. All that it takes is a malicious link sent from the right person and many activists have their machines infected.
In fact, that's exactly what happened with the activist who supplied her hard drive to F-Secure. She became suspicious after realizing her chat partner had been in custody at the time their chat took place.
It all started with a Skype session initiated from the account of a fellow activist who had been taken into custody. The discovered backdoor calls home to the IP address 126.96.36.199, which belongs to Syrian Arab Republic — Syrian Telecommunications Establishment (STE).
The ongoing massive uprising in Syria began in January 2011, as part of the wider Arab Spring. The opposition is dominated by Sunni Muslims, whereas the leading government figures are Alawite Muslims.
Protesters are demanding the resignation of President Bashar al-Assad, want to overthrow his government, and are looking to end nearly five decades of Ba'ath Party rule. In response, the Syrian government has deployed the Syrian Army, resulting in the death of 9,000 to 11,000 civilians and soldiers. Many more have been injured, and tens of thousands of protesters have been imprisoned.
In addition to armed forces, the Syrian government is also pushing various types of online attacks. We've already heard reports of Facebook phishing attacks and fake YouTube sites with malware targeting Syrian activists. Now Skype is being leverages as well.
Egyptian, Iranian, and Syrian governments using malware to spy on their citizens is nothing new. Nevertheless, it's still a worrying trend.
- Al Arabiya Facebook Page hacked, fake Syria news posted
- Google kills Iranian blog with 3 million hacked bank accounts
- 3 million bank accounts hacked in Iran
- Iran hacks BBC Persian TV
- Up to 1.5 million Visa, MasterCard credit card numbers stolen
- Visa, MasterCard confirm credit card security breach