Incident Response, Malware, TDR

Surge in “BlackShades” infections exposes machines worldwide to RAT


Researchers have tracked a spike in infections of malware called “BlackShades,” a remote administration tool (RAT) targeting users' login credentials and other data of potential use to saboteurs.

While an integral member of the BlackShades cyber gang was reportedly arrested last year, infections in the U.S. have climbed from around 1,000 to more than 1,600 from July to November 1, security firm Symantec found.

Infections in the hundreds have also been detected on a country-by-country basis in the U.K., the Netherlands, Singapore, India, Italy and other countries over the same time period.

On Monday, Santiago Cortes, a security response engineer at Symantec, wrote in a blog post that in October and November, attackers have opted to spread the malware via the Neutrino exploit kit.

“During our research, we found that nearly all of the [command-and-control] servers have hosted exploit kits at some point, and until the arrest of the author of the BlackHole exploit kit and the Cool exploit kit, the latter has been the most prevalent,” Cortes said. “These kits try to exploit different vulnerabilities in the user's computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.”

He later added that since the BlackHole and Cool exploit kits have “nearly disappeared,” that Neutrino was left as the “new kit of choice” for attackers leveraging BlackShades.

Last June, digital advocacy group Electronic Frontier Foundation (EFF) revealed that BlackShades was being distributed via instant messages from hacked Skype accounts to spy on anti-regime activists in Syria via its surveillance capabilities, which included logging keystrokes and taking screenshots.

Now, researchers at Symantec have found that attackers' aims are likely to “infect as many computers as possible” with the RAT, Cortes wrote.

According to him, BlackShades targets a number of credentials, namely those used for email services, web services, file transfer protocol (FTP) clients and instant messaging applications.

“Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information,” Cortes said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.