Following numerous high-profile cyber attacks from the Syrian Electronic Army (SEA) hacker group, which has links to the government of Syrian President Bashar al-Assad, security firm FireEye has uncovered malicious activities from a lesser-known second group.
The Syrian Malware Team is largely pro-Syrian government, as seen in one of their banners featuring Assad.
FireEye discovered the group using a .NET based RAT (remote access Trojan) called BlackWorm to infiltrate targets. A RAT provides cybercriminals with unlimited access to infected endpoints.
Based on the sentiments publicly expressed by the group, it is likely that they are either directly or indirectly involved with the Syrian government, according to FireEye.
Certain members of the group also have ties to the SEA, indicating it may also be an offshoot or part of the SEA.
FireEye found at least two distinct versions of the BlackWorm tool, including an original, private version (v0.3.0) and the ‘Dark Edition’ (v2.1).
The original BlackWorm builder was co-authored by Naser Al Mutairi from Kuwait, better known by his online moniker ‘njq8′.
He is also known to have coded other internet worms, such as njw0rm, njRAT/LV and earlier versions of H-worm/Houdini.
FireEye found his code being used in a slew of other RATs, such as Fallaga and Spygate. BlackWorm v0.3.0 was also co-authored by another actor, Black Mafia.
Within the underground development forums, it’s common for threat actors to collaborate on toolsets. Some write the base tools that other attackers can use, while others modify and enhance existing tools.
The BlackWorm builder v2.1 is a prime example of actors modifying and enhancing current RATs. After njq8 and Black Mafia created the original builder, another author, Black.Hacker, enhanced its feature set.
As an interesting side note, ‘njq8′ took down his blog in recent months and announced a cease in all malware development activity on his Twitter and Facebook account, urging others to stop as well. This is likely a direct result of the lawsuit filed against him by Microsoft.
The Syrian Malware Team primarily uses another version of BlackWorm called the Dark Edition (v2.1). BlackWorm v2.1 was released on a prolific underground forum where information and code is often shared, traded and sold.
BlackWorm v2.1 has the same abilities as the original version and additional functionality, including bypassing UAC, disabling host firewalls and spreading over network shares.
Unlike its predecessor, it also allows for granular control of the features available within the RAT. These additional controls allow the RAT user to enable and disable features as needed.
>See also: Syrian Electronic Army hacks Skype
FireEye observed activity from the Syrian Malware Team going as far back as January 2011. Based on Facebook posts, they are allegedly directly or indirectly involved with the Syrian government. Their Facebook page shows they are still very active, with a post as recent as 16 July 2014.
The Syrian Malware Team has been involved in everything from profiling targets to orchestrating attacks themselves, and some of the members have posted malware-related items on Facebook.