Incident Response, Malware, TDR, Threat Management

Syrian Malware Team makes use of enhanced BlackWorm RAT

A hacking group, believed to have ties to the Syrian Electronic Army (SEA), has made use of an enhanced version of BlackWorm, a remote access trojan (RAT) used to infiltrate organizations.

On Friday, researchers at FireEye revealed in a blog post that Syrian Malware Team (a largely pro-Syrian government group of hackers) has operated as far back as 2011, and now primarily uses the “Dark Edition” version of BlackWorm in its campaigns.

FireEye also detailed an original, or private, version of BlackWorm (v0.3.0), which was said to be “fairly simple [allowing] for very quick payload,” the blog post said. The earlier verison of the RAT supported a number of commands, including system restart and shutdown, displaying “startling” flash videos on targeted machines, downloading and running files, killing critical Windows processes, and blocking keyboard and mouse input, FireEye said.

The “Dark Edition” version, however, is packaged with additional features, allowing attackers to bypass user account control (UAC), disable firewalls and spread over network shares.

“Unlike its predecessor, [BlackWorm Dark Edition] allows for granular control of the features available within the RAT,” the blog post said. “These additional controls allow the RAT user to enable and disable features as needed. Binary output can also be generated in multiple formats, such as .exe, .src and .dll.”

In Friday email correspondence with,Thoufique Haq, senior research scientist at FireEye and one of the blog post authors, explained that "having a RAT in the target environment pretty much gives the attackers carte blanch."

He also noted that BlackWorm was a RAT "like many others in the threat landscape and has features to completely commandeer, surveil and exfiltrate data off the victims machine."

In its post, FireEye referenced IntelCrawler research (PDF) linking Syrian Malware Team with hacktivist group Syrian Electronic Army (SEA). In the March report, IntelCrawler noted that an SEA member, going by the online alias “Hawks,” appeared to withdraw from SEA in 2012 with interest in starting the Syrian Malware Team.

SEA has become well-known for compromising credentials – particularly for U.S. media groups, such as The New York Times and The Washington Post – through phishing emails, so much that the hacktivist group was vaulted onto the FBI's "most wanted" list last September.

In June, ad network Taboola was compromised by the group, which ultimately allowed SEA to redirect Reuters site visitors to a hacker-operated web page. At the time, a message on the hacker page taunted the news organization, telling Reuters to “stop publishing fake reports and false articles about Syria.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.