The research has unveiled a range of malware which uses a variety of techniques, including sophisticated social engineering tricks and obfuscation techniques. The last few years have thrown cyber attacks in Syria to the fore, with lots of activity linked to the country.
The Syrian Electronic Army, a group of computer hackers, has been linked to attacks on several high-profile organisations, including the New York Times and Twitter.
According to Kaspersky, malware was distributed on social networking sites to gain control of systems and steal credentials.
A Flash 0day (CVE-2014-0515) was found on a number of Syrian sites that had been attacked months earlier; and the DarkComet RAT developer retired the popular tool after reports of it being used extensively in Syria. Kaspersky Lab’s research shows that cybercriminals are exploiting the situation in the region to create a multitude of malware capable of accessing users’ data.
The malware is disguised in different ways, including fake antivirus scanners, social messaging apps, Trojan-embedded legitimate system utilities, and downloads in social networks and free public file-sharing services. In the samples analysed, the cybercriminals usually attempted to achieve complete system monitoring with the help of the infamous remote administration tool (RAT) Dark Comet, which not only sends every key stroke almost instantly to a remote server but also leaves the infected system vulnerable to exploit by the attackers.
The use of high-level programming languages means the malware writers can easily modify their creations, making it possible to test new malicious campaigns with minimal effort and to craft targeted attacks in no time. Syrian malware has also been evolving, and shows no sign of abating any time soon.
“We expect attacks by Syrian malware to continue and evolve both in quality and quantity,” researchers said. According to the research, Syrian malware relies heavily on social engineering and the active development of more technologically complex malicious variants in order to achieve rapid propagation and infection.
In Kaspersky Lab’s research, more than 80 malware samples used to attack Syrian citizens and Middle East users were collected.
Although most of these were already known, cybercriminals rely on a wide range of obfuscation tools and techniques in order to change the malware structure and bypass signature detection. Kaspersky Lab, senior security researcher, Ghareeb Saad said a combination of factors – social engineering, rapid app development and remote administration tools for taking over the victim’s entire system – created a worrying scenario for unsuspecting users.