Security firm FireEye demonstrated a “connect the dots” approach to attribution after identifying several members of the Syrian Malware Team. This pro-Assad hacking group has ties to both the Syrian government and the Syrian Electronic Army (SEA), another team that has made headlines for its attacks against the Syrian opposition.
The Syrian Malware Team has maintained a very public online presence since January 2011. According to the FireEye blog post “Connecting the Dots,” the Syrian Malware Team is still apparently active with its most recent Facebook post dating back to July 16, 2014.
FireEye was ultimately able to discover and identify the team’s existence and members via its modified use of the Remote Access Trojan (RAT) BlackWorm. BlackWorm was primarily authored by Kuwait-based Naser Al-Mutairi (also known by his online name njq8) along with an actor who went by Black Mafia.
In June 2014, Microsoft Digital Crimes Unit went after the Jenxcus and Bladabindi malware families that had both been co-authored by Al-Mutairi and Mohamed Benabdellah (known online as Houdini). Shortly after Microsoft filed a lawsuit against him, Al-Mutairi removed his blog and announced on social media that he would no longer distribute malware, urging his partners and friends to follow suit.
The original BlackWorm trojan, v0.3.0, used an IP address as its only configuration option. It had the advantage of a simple builder that delivered a quick payload. BlackWorm v0.3.0 supports several remote commands such as ping, DDOS, shutdown, and hror (which according to FireEye “displays a startling flash video”).
BlackWorm v0.3.0’s additional features include the ability to disable the Task Manager, copy itself to USB drives and P2P share locations, and collect system information to display in the BlackWorm controller.
The Syrian Malware Team is using a modified version of BlackWorm, known as v2.1 or “Dark Edition.”
While v0.3.0 appears to be a private worm, v2.1 is publicly available on online forums “where information and code is often shared, traded, and sold.” Its additional capabilities include UAC bypass, disabling host firewalls, and granular control of its features. This allows the attacker to enable and disable specific features at will.
The original BlackWorm v0.3.0 was modified by a trojan author known as Black.Hacker. Black.Hacker appears to be in line with the same public behavior as SEA and the Syrian Malware Team, using a personalized social media banner depicting a photograph of a young man in sunglasses.
FireEye located the public Facebook pages of at least 11 Syrian Malware Team members. Many team members appear to take animal-themed pseudonyms such as syrian.lion, syrian.wolverine, syrian.wolf, and syrian.tiger. The FireEye blog noted that several of these self-proclaimed team members would contribute malware-related posts via their own Facebook pages.
FireEye researchers discovered a binary named svchost.exe and “quickly saw indicators that it was created by BlackWorm Dark Edition.” When the Syrian Malware Team used BlackWorm Dark Edition for its attacks, they included personal strings in their code with signatures “Syrian Malware” or “Syrian Malware Team.” FireEye noted that the same C2 communications were used in several Syrian malware attacks, and also pointed out multiple instances of similar binary strings.
This blog presents a prime example of the process of attribution. We connected a builder with malware samples and the actors/developers behind these attacks. This type of attribution is key to creating actionable threat intelligence to help proactively protect organizations.
Although the Syrian Malware Team was not making prominent headlines before the FireEye report, website SyrianMalware.com has been analysing their behavior and code in order to better understand and prevent future attacks. Syrian activists in opposition to the Assad government sent in samples of remote activity on their machines in contribution to a detailed report.
Authors of this website have posted the warning:
The following files contain malicious software. They are intended for security researchers and should only be executed under controlled environments.
The report includes several other activities by the Syrian Malware Team including a propaganda-spreading tool called SyriaTube. “Based on these videos, it seems that one of the primary goals of Syrian Malware Team’s infection campaigns is to document members of the opposition in embarrassing and discrediting situations.” The report notes that Syrian Malware Team, like its public associate the SEA, often updates its Facebook page with screenshots of attacks on opposition-led websites.