Story

Syria: RAT uncomfortable assumptions on the control of dissidents

The public opinion is daily informed regarding the situation in Syria that is still critic, according UN representative in the country several clashes are undermining a virtual ceasefire.

Deputy Rep to Syria,  Nasser Al-Qudwa, declared :

"There is, at least, a theoretical commitment on the part of the Syrian government, and also on the part of the Syrian opposition, to cease all forms of violence. Unfortunately there have been violations that endanger this. But the general direction includes some positive aspects. However, we need a ceasefire, and to confirm the necessity for complete commitment to ending the violence."

The reality denounced by dissidents and observed by foreign governments is alarming, the regime driven by the president Bashar al-Assad has committed one of the most horrific massacres since the beginning of the uprising in Syria.

Once the government has discovered that dissidents were using program such as Skype to communicate, it has used the same channel to spread the backdoor "Xtreme RAT". The schema of the targeted attacks was simple, after the arrest of some dissidents, the government has used their Skype accounts to spread a malware hidden in a file called MACAddressChanger.exe that was accepted by others activists. The dissidents were confident in the MACAddressChanger usage that they have used i the past to elude the monitoring system of the government.

Xtreme Rat is a malware that belong to the Remote Access Tool category really simple to retrieve on line at a low price (Full version Price: €100 EUR). To confirm that backdoor has been installed by the Syrian Government is the IP address of the command server that belongs to Syrian Arab Republic — STE (Syrian Telecommunications Establishment).

The sample reported is not the only one, the experts of the Trend Micro firm have discovered the usage of the malware DarkComet to infect the computers of the opposition movement. The malware is used to steal documents from the victims and it appears to have been spread through Skype chats.  Once in execution the malware try to contact the command and control (C&C) server to receive instruction and also to transfer the stolen information. It has been observed that the C&C server is resident in Syria, the range of the IP addresses is under the control of the government of Damascus.

What is DarkComet and how it works?

According Trend Micro blog it is considered a widely available Remote Access Trojan (RAT) that is used to take pictures via webcam of the remote host, to listen in on conversations via a microphone attached to a PC, to gain full remote control of the victim and of course key logging it.

The use of malware was not the only operation conducted by the Syrian government in fact supporters of the regime the “Syrian Electronic Army” have conducted several cyber attacks against web site and social media used by the opposition movement. Several web sites have been defaced and also Facebook accounts used by the protesters have been targeted. Don’t forget that The Syrian Computer Society was headed by al-Assad in the 1990s demonstrating the high interest in cyber warfare of the government.

In Syria we have assisted to the usage of malware as cyber weapon, a powerful tool to conduct cyberespionage campaign and to spy on dissident.

What is surprising, however, is the use of tools commonly available on the market and well known to the masses. From a country that has always invested in technology such as Syria, whose government can rely on the technological support of Russia and China with which it maintains good diplomatic relations, we can expect the development of ad hoc malware.

Why use monitoring solutions so "noisy"? If monitoring of dissidents is made only through such instruments would be sufficient simply a removal tool available online, is this really the effect that the Damascus government expects from the solutions used?

Personally I think the malware identified were used with the specific intent to divert the attention of other control tools for a long time adopted in the country. The Syria has over the years, with the collaboration of Western companies, developed a great knowledge of the main control systems. The exploitation of a 0-day vulnerability rather than the purchase of advanced networks control systems are the main solutions that can be expected from a country like Syria.

Probably the solutions used are really attributable to some western company, or to any foreign government that is doing everything possible to conceal its involvement, which would clearly violate every international moratorium. For this reason I expect that in the coming months an increasing number of RAT (Remote Administration Tool ) will be found in PCs of suspected dissidents, with the intent to cover some uncomfortable and embarrassing truth.

Once again in my opinion the financial interests are prepended to human rights.

Pierluigi Paganini