[The following joint report by the Electronic Frontier Foundation and The Citizen Lab at the University of Toronto was published by the Electronic Frontier Foundation on 23 December 2013]
Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns
Malware attacks targeting the Syrian opposition were first publicly reported in early 2012, but observed as early as late 2011. As the campaigns move into their second year, we are publishing an update describing several recent attacks. Over the past two years, while tools have changed, attacks have maintained some common themes: easily available Remote Access Tools (RATs) combined with clever and well-informed social engineering. For example, opposition members have been targeted with fake security tools, fake Skype encryption, and a steady stream of intriguing bait documents and malicious links, tailored to the interests, needs, and fears of the opposition. The opposition, as well as NGOs and journalists working on the conflict, have also been the target of persistent phishing campaigns targeting emails and social media accounts. The attacks continue amid an online climate of degraded connectivity, surveillance, and occasional Internet blackouts.
While we have not sought to show a statistical correlation, the intensity of the campaigns we have observed, as proxied by the samples we have received, sometimes tracks events on the ground. For example, in late 2012, we began to suspect that malware activities had dwindled. Yet, less than 24 hours after an Internet blackout, we detected new malware campaigns. Similarly, the campaigns that we describe here came to our attention after the possibility of a US military action in Syria appeared to have been replaced by other diplomatic efforts.
However, links between malware intensity and current events are not always so clear. In June 2013, for example, spurred by a flurry of new cases, we reported on a series of fresh targeted attacks, including fake Freegate proxy software and the use of Windows shortcut files, but without a clear link to a proximate event in Syria.
The attacks analyzed here include:
An attacker who actively moderated warning comments on a Facebook post with a malicious download link.
New attacks by the same group responsible for the fake Freegate software, and attack in which the attacker leaves tantalizing clues in a debug string.
A Mac OSX Trojan, which may be a “false flag” meant to implicate pro-Assad hackers in Syria, but which does not appear to have been authored by the groups with which we are familiar.
The campaigns described in this post include many of the elements we have consistently observed in this series of malware campaigns: the use of social media and messages that are crafted to be compelling to the target population. Some attacks also feature command and control servers that have been identified with pro-Syrian-government malware in the past, command and control servers that provide staging for other attacks that have previously been identified by Citizen Lab, and familiar remote access tools, such as XtremeRAT. In another case we identified a remote access tool we have not yet seen employed in these campaigns: njRAT.
[Click here to read the full report]