Surge in "BlackShades" infections exposes machines worldwide to RAT

Share this article:

Researchers have tracked a spike in infections of malware called “BlackShades,” a remote administration tool (RAT) targeting users' login credentials and other data of potential use to saboteurs.

While an integral member of the BlackShades cyber gang was reportedly arrested last year, infections in the U.S. have climbed from around 1,000 to more than 1,600 from July to November 1, security firm Symantec found.

Infections in the hundreds have also been detected on a country-by-country basis in the U.K., the Netherlands, Singapore, India, Italy and other countries over the same time period.

On Monday, Santiago Cortes, a security response engineer at Symantec, wrote in a blog post that in October and November, attackers have opted to spread the malware via the Neutrino exploit kit.

“During our research, we found that nearly all of the [command-and-control] servers have hosted exploit kits at some point, and until the arrest of the author of the BlackHole exploit kit and the Cool exploit kit, the latter has been the most prevalent,” Cortes said. “These kits try to exploit different vulnerabilities in the user's computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.”

He later added that since the BlackHole and Cool exploit kits have “nearly disappeared,” that Neutrino was left as the “new kit of choice” for attackers leveraging BlackShades.

Last June, digital advocacy group Electronic Frontier Foundation (EFF) revealed that BlackShades was being distributed via instant messages from hacked Skype accounts to spy on anti-regime activists in Syria via its surveillance capabilities, which included logging keystrokes and taking screenshots.

Now, researchers at Symantec have found that attackers' aims are likely to “infect as many computers as possible” with the RAT, Cortes wrote.

According to him, BlackShades targets a number of credentials, namely those used for email services, web services, file transfer protocol (FTP) clients and instant messaging applications.

“Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information,” Cortes said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Skills in demand: Communications and messaging experts

Skills in demand: Communications and messaging experts

The demand for infosec-focused communications and messaging pros is growing.

Company news: New execs at Malwarebytes and an acquisition by VMware

The latest mergers and acquisitions and personnel moves, including Malwarebytes, Abacus Group, VMware, Bay Dynamics, vArmour, Secunia, Norse and more.

Bridging the talent gap in health care

Bridging the talent gap in health care

Cybercriminals are primarily after patient data as it really gets them more money.