14 DAY TRIAL // It’s not a novelty that Syrian activists are spied on. Security experts have reported on numerous occasions that the DarkComet RAT and the Xtreme RAT have been used to accomplish the task, but now researchers have found that cybercriminals have started relying on BlackShades RAT.
Just like DarkComet, BlackShades is a commercial remote administration tool that’s advertised as being a useful spy software.
According to Citizen Lab and the Electronic Frontier Foundation (EFF), the malicious element has been distributed via a compromised Skype account that belongs to a Free Syrian Army officer.
The attacker sends a link that allegedly points to an important video, but instead, it leads to a file called new_new.pif.
Once it’s executed, a number of .exe files are dropped into various folders: C:\Documents and Settings\Administrator\Templates\VSCover.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\local3.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\data.dat C:\Documents and Settings\Administrator\Local Settings\Temp\D3D8THK.exe At this point, the BlackShades RAT is already monitoring activity and executing arbitrary code on the infected device.
EFF warns that while most antivirus solutions are capable of removing the threat, the safest method to get rid of it is by reinstalling the operating systems and changing all the passwords.