Syrian Malware Team makes use of enhanced BlackWorm RAT

Share this article:
Threat of the month: Credentials theft
FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.

A hacking group, believed to have ties to the Syrian Electronic Army (SEA), has made use of an enhanced version of BlackWorm, a remote access trojan (RAT) used to infiltrate organizations.

On Friday, researchers at FireEye revealed in a blog post that Syrian Malware Team (a largely pro-Syrian government group of hackers) has operated as far back as 2011, and now primarily uses the “Dark Edition” version of BlackWorm in its campaigns.

FireEye also detailed an original, or private, version of BlackWorm (v0.3.0), which was said to be “fairly simple [allowing] for very quick payload,” the blog post said. The earlier verison of the RAT supported a number of commands, including system restart and shutdown, displaying “startling” flash videos on targeted machines, downloading and running files, killing critical Windows processes, and blocking keyboard and mouse input, FireEye said.

The “Dark Edition” version, however, is packaged with additional features, allowing attackers to bypass user account control (UAC), disable firewalls and spread over network shares.

“Unlike its predecessor, [BlackWorm Dark Edition] allows for granular control of the features available within the RAT,” the blog post said. “These additional controls allow the RAT user to enable and disable features as needed. Binary output can also be generated in multiple formats, such as .exe, .src and .dll.”

In Friday email correspondence with,Thoufique Haq, senior research scientist at FireEye and one of the blog post authors, explained that "having a RAT in the target environment pretty much gives the attackers carte blanch."

He also noted that BlackWorm was a RAT "like many others in the threat landscape and has features to completely commandeer, surveil and exfiltrate data off the victims machine."

In its post, FireEye referenced IntelCrawler research (PDF) linking Syrian Malware Team with hacktivist group Syrian Electronic Army (SEA). In the March report, IntelCrawler noted that an SEA member, going by the online alias “Hawks,” appeared to withdraw from SEA in 2012 with interest in starting the Syrian Malware Team.

SEA has become well-known for compromising credentials – particularly for U.S. media groups, such as The New York Times and The Washington Post – through phishing emails, so much that the hacktivist group was vaulted onto the FBI's "most wanted" list last September.

In June, ad network Taboola was compromised by the group, which ultimately allowed SEA to redirect Reuters site visitors to a hacker-operated web page. At the time, a message on the hacker page taunted the news organization, telling Reuters to “stop publishing fake reports and false articles about Syria.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Federal Trade Commission appoints new chief technologist

The government agency has announced Ashkan Soltani as its new chief technologist, according to a release.

Cybercriminals continue to piggyback on Ebola news

Email samples discovered by researchers at Trustwave reveal how attackers are infecting users with the DarkComet Remote Access Trojan.

ISA president urges state AGs to expand understanding of cybercrime

Speaking at a National Association of State Attorneys General conference, ISA's Larry Clinton asked the AGs to step up efforts to get more resources.